By Ethan Baron, The Mercury News
SAN JOSE, Calif. — Mere hours after news that hundreds of millions of Yahoo user accounts had been hacked, users of the firm’s services filed a class-action suit in U.S. District Court in San Diego accusing Yahoo of putting users’ finances at risk and failing to notify them earlier about the breach.
“While investigating another potential data breach, Yahoo uncovered this data breach, dating back to 2014,” the lawsuit filed Thursday said. “Two years is an unusually long period of time in which to identify a data breach.”
Other allegations against Yahoo in the suit include deception, misrepresentation, invasion of privacy and negligence.
The plaintiffs had come to the firm of San Diego lawyer David Casey before news of the breach broke Thursday, believing their personal information had been stolen, Casey said Friday. “They were trying to figure out how people were accessing their information,” Casey said. “When this (breach) became public they put two and two together.”
One of the plaintiffs suffered an identity theft that led to “intrusion into personal financial matters,” Casey said.
In the hack, which appears to be the largest in history, users’ email addresses, birth dates, phone numbers, passwords with various levels of encryption, and security questions and answers “may” have been among the data stolen, Yahoo said Thursday. The company said users’ financial information had not been compromised.
However, the lawsuit claimed Yahoo users’ financial information had been breached. Casey said it wasn’t necessary for financial data to have been stolen in the Yahoo breach to jeopardize users’ finances, as non-financial information can be used to steal identities and gain access to personal finances.
Yahoo declined to discuss the lawsuit’s allegations, saying it didn’t comment on ongoing litigation.
The firm said Thursday it had discovered the hack during a “recent” investigation, and a source close to the matter said the discovery occurred after a probe into what turned out to be an unfounded report from July of a breach of user data. The suit cites research saying the average time to identify a hack is 191 days and the average time to contain a breach is 58 days after it’s discovered. Casey said the fact that it took Yahoo nearly two years to find out it had been hacked was a significant factor in the legal case.
“There’s a breach and for two years you’re not told about it and in the meantime you’re continuing to use all your private data for all your accounts. The longer it goes undisclosed the greater potential harm to individuals,” Casey said. “Another key issue is the fact the intrusion occurred at all. When you deal with a sophisticated company like Yahoo, they certainly should have state-of-the-art systems in place to avoid this type of hacking.”
The complaint was filed by San Diego residents Jennifer J. Myers and Paul Dugas, who stated that they were Yahoo users at the time of the 2014 data theft, which Yahoo said hit at least 500 million user accounts.
The number of people alleged in the suit to be potential class-action participants is 500,000. The plaintiffs are seeking unspecified damages.
Yahoo, in the midst of a $4.8 billion sale to Verizon, blamed a “state-sponsored actor” for the attack, but did not name the country allegedly involved.
The FBI said it was investigating the matter and pledged to find whoever was responsible.
Casey said he expected many other lawsuits to be filed against Yahoo over the breach, and that he anticipated all such legal actions would be rolled into one class-action suit. The plaintiffs in the San Diego case are seeking a jury trial.
The price of Yahoo stock rose slightly on Thursday as news of the breach was circulating, but began to drop in after-hours trading. After opening Thursday at $43.94, the share price sank to a close of $42.80 on Friday.
©2016 The Mercury News (San Jose, Calif.) Distributed by Tribune Content Agency, LLC.
