Tech giant Yahoo has settled a court case related to the massive, previously undisclosed data breaches the company experienced between 2013–14 to the tune of $50m in damages.
Personal information and passwords from around three billion accounts were compromised in the company's first breach in 2013. Later, in 2014, another breach affected a further 500 million accounts. Yahoo, however, declined to disclose this breach until it began negotiations to sell its digital services to Verizon Communications in 2016, at least two years after the last incident.
The decision to not disclose the data breach led to Verizon receiving a $350m reduction in the already negotiated sum of $4.83bn due to the reputational damage to the brand which the incidents and Yahoo's poor handling of the situation caused.
Verizon will have to take on half of the penalty while the other half will be paid for by Altaba Inc, the company created to hold on to Yahoo's Asian investments. The Securities and Exchange Commission previously ordered Altaba to pay out $35m in fines for failing to disclose the breach to its investors.
The $50m fine is to be paid out in compensation to Yahoo customers who had their accounts affected by the breach. $25 will be paid for every hour a Yahoo user spent trying to deal with the fallout resulting from the breach. Those with documented losses will be able to claim up to $375, while those without proof will be able to claim up to $125. Every account user with a premium account will also be eligible to a 25% refund and for the next two years, the company will be responsible for paying for credit monitoring services for the 200 million users who potentially had their identities stolen.
The final ruling is set for November 29 and could be one of the most expensive consumer data breaches of all time.