Yahoo Sued For Gross Negligence Over Huge Hacking

Yahoo apparently took two years to investigate and tell people that its service had been breached, and that over 500 million users were affected. Amid the announcement, a user is suing Yahoo, accusing the company of gross negligence. From a Reuters report: The lawsuit was filed in the federal court in San Jose, California, one day after Yahoo disclosed the hacking, unprecedented in size, by what it believed was a "state-sponsored actor." Ronald Schwartz, a New York resident, sued on behalf of all Yahoo users in the United States whose personal information was compromised. The lawsuit seeks class-action status and unspecified damages. A Yahoo spokeswoman said the Sunnyvale, California-based company does not discuss pending litigation. The attack could complicate Chief Executive Marissa Mayer's effort to shore up the website's flagging fortunes, two months after she agreed to a $4.8 billion sale of Yahoo's Internet business to Verizon Communications. Yahoo on Thursday said user information including names, email addresses, phone numbers, birth dates and encrypted passwords had been compromised in late 2014.

Not good enough

When you're this negligent with your security, a simple class action lawsuit for damages won't suffice. It doesn't solve the problem, either, because these are usually settles to the benefit of the lawyers. Instead, the executives and any managers who were behind this negligence need to spend some serious time in prison. Yes, that includes Marissa Mayer, who needs to be behind bars for the awful way her company handled the breach. I despise the Russian hackers, who deserve to be on the receiving end of vigilante justice. However, there also needs to be some lengthy jail sentences for plenty of people at Yahoo. It's also time that companies like Yahoo that do this have to pay serious restitution to everyone on the receiving end of such a breach, enough so to put the company out of business (that shouldn't be hard in Yahoo's case).

Re:Not good enough

[MoarSauce123]

Worse even, If Yahoo is convicted and has to pay damages it will be less expensive than implementing proper safeguards. As long as breaches are cheaper than security not much will happen.

Re:Cheaper to get hacked than do security maintena

[h33t+l4x0r]

It's not about that. The initial hack could have been anything from a 0day to a 5 year old exploit - you don't know and that's not the issue anyway. The issue is that they didn't tell anybody about it for 2 years. Users need to know that their passwords are compromised because they often will (for example) use the same password for online banking.

Seems fair

[melting_clock]

Gross negligence is accurate enough when a company allows data on 500 million customers to be hacked and then fails to notify those customers for 2 years. Choosing to keep this from customers achieves little more than proving the company cannot be trusted. This should have been handled better.

Fixing the problems, then disclosing the breach and taking immediate action to protect customers would be the action of a responsible and trustworthy company.

This is going to cost them customers and reduce the value of the company. Not an ideal situation for anyone about to buy it...

Re:Cheaper to get hacked than do security maintena

[JaredOfEuropa]

pre-ITIL cowboy days

Are things a lot better post-ITIL? In my experience ITIL has made things a lot more predicable... most often predictably awful. Not that I blame ITIL for that; that's like blaming your hammer for the shoddy birdhouse you built. It's more like a crutch: people think "if we all do what it says in this book, we'll do better". In terms of business outcomes I have not found that to be true very often.