Yahoo, currently a division of Verizon Communications Inc., may be close to putting to bed its long-running saga over the biggest hack of all time via a revised $117.5 million data breach settlement.

The class-action settlement was disclosed publicly on Tuesday and was reported to address criticisms from U.S. District Judge Lucy Koh, who had previously rejected a settlement offer in January.

The proposed settlement includes a minimum of $55 million for victims’ out-of-pocket expenses, $24 million to pay for two years of crediting monitoring service, as much as $30 million for legal expenses and an additional $8.5 million for unspecified expenses.

Three billion Yahoo accounts were compromised in August 2013, with data stolen including names, email addresses, telephone numbers, dates of birth, hashed passwords and, in some cases, encrypted or unencrypted security questions and answers. In a separate hack in 2014, 500 million accounts were compromised.

John Yanchunis, a lawyer for the plaintiffs, said in a court filing that the $117.5 million was the “biggest common fund ever obtained in a data breach case.”

A Verizon Media spokesperson said that “we believe that the settlement demonstrates our strong commitment to security.”

Verizon itself does not exactly have a perfect record when it comes to data security, with 14 million customer records exposed via a misconfigured Amazon Web Services Inc. S3 instance in 2017, though that was blamed on a contractor.

Doubling down, Verizon said that it would spend $306 million between 2019 and 2022 on information security, five times what Yahoo spent from 2013 to 2016. In addition, it pledged to quadruple Yahoo’s staffing in cybersecurity as part of the settlement agreement.

High-Tech Bridge SA Chief Executive Officer Ilia Kolochenko told SiliconANGLE that on average, that’s $25 per compromised account, which he called “embarrassingly modest compensation for breach of your privacy and stolen personal data.”

But he added that it’s common that class actions enrich the attorneys more than the victims. “Otherwise, the settlement conveys an illusory message of relatively modest penalties for negligent data protection,” he said. “In 2019, even a less severe breach is capable of exposing your company to incomparably severe and harsh sanctions in different jurisdictions. We have to take cybersecurity seriously or pay a considerable price.”

Yahoo’s proposed settlement is yet to be accepted by the U.S. District Court, Northern District of California. When the settlement will be considered by the court isn’t clear.

Image: Pixabay