Yahoo! Inc. is being accused in lawsuits of failing to secure customer data after the company said the personal information of at least 500 million users was stolen in a 2014 hack.
As a result of the company’s “failure to establish and implement basic data security protocols, contrary to Yahoo’s guarantees, its users’ personal information is now in the hands of criminals and/or enemies of the U.S.,” according to the latest complaint, filed Friday in federal court in San Jose, California.
The case was filed by a New York resident and seeks class-action status on behalf of other Yahoo users. Similar cases have been filed in Illinois and San Diego.
The disclosure of the data theft comes at a particularly sensitive time for Chief Executive Officer Marissa Mayer, as she navigates the company toward a planned $4.8 billion acquisition by Verizon Communications Inc., set to close by early next year. Mayer, who has dealt with difficulties and complaints about Yahoo’s e-mail service in the past, needs to keep users logging in to drive traffic and draw the advertising that fuels the company’s revenue growth, which has been sluggish under her leadership.
Yahoo spokesman Charles Stewart declined to comment on the San Jose complaint.
Plaintiff Ronald Schwartz is asking the court to require Yahoo to compensate users for any damages resulting from fraud and to pay for measures to identify and safeguard compromised accounts.
Schwartz slammed Yahoo for failing to discover the data breach until a fewmonths ago.
“Defendant’s misconduct was so bad that it evidently allowed unauthorized and malicious access to plaintiff’s and the class’s personal information on defendant’s computer systems to continue unimpeded for nearly two years,” according to the complaint.
The attacker was a “state-sponsored actor,” and stolen information may include names, e-mail addresses, phone numbers, dates of birth, encrypted passwords and, in some cases, un-encrypted security questions and answers, Yahoo said Thursday in a statement. The continuing investigation doesn’t indicate theft of payment card data or bank account information, or unprotected passwords, the company said. Affected users are being notified, accounts are being secured, and there’s no evidence the attacker is still in the network, Yahoo also said.
The case is Schwartz v. Yahoo! Inc., 5:16-cv-05456, U.S. District Court, Northern District of California (San Jose).