October 24, 2018

Largest data breach in history costs Yahoo another $85M

gavelYahoo's 2013 data breach that compromised three billion accounts – the largest of all time – will cost the company an additional $85 million after a newly reached settlement orders the company to pay $50 million in damages, cover attorneys' fees up to $35 million and provide free credit-monitoring services to victims of the breach.

The company revealed the data breach in 2016, though announced last year that all Yahoo accounts had been affected. The breach compromised names, email addresses, birthdates and phone numbers; financial information was not among the stolen data.

Yahoo, currently known as Altaba, agreed earlier this year to pay a $35 million penalty to the Securities and Exchange Commission (SEC) for failing to notify customers of the breach in a timely fashion.

NAFCU has been a leader in calling for a strong national data security standard that holds all entities that collect and store consumers' financial information accountable. The association has also shared with Congress principles credit unions would like to see addressed in any comprehensive cyber and data security legislation; it is currently engaged as Congress considers a bill that would require data breach notifications for financial entities akin to what is in place for financial institutions under the Gramm-Leach-Bliley Act.

The new settlement needs to be approved by the U.S. District Court for the Ninth Circuit.