Yahoo's proposed settlement over massive data breaches hasn't passed muster in the courtroom. Judge Lucy Koh has rejected the settlement from the company (now owned by Engadget parent Verizon) for not specifying how much victims could expect to recover. While the proposal included $50 million in damages and would pay $25 for every hour spent dealing with the breaches, Koh was concerned that it didn't reveal the scope of the settlement fund or the costs of the two years of promised credit monitoring. The judge was also worried the proposed class for the settlement was too large, as it didn't reflect the considerably smaller number of active users during the affected period.
Koh added that Yahoo's settlement details continued a "pattern of lack of transparency" that manifested in the breaches themselves, where the company revealed breaches years after they took place and wasn't clear how it would support victims. She was also concerned that the $35 million cap on the plaintiffs' lawyer fees was "unreasonably high" given that their case was "not particularly novel."
In a statement, Verizon said it was "confident" there was a "viable path forward" despite the judge denying preliminary approval.
The denial isn't a complete surprise. The settlement was meant to cover 200 million people across the US and Israel with close to 1 billion accounts. That's a lot of potential recipients, and there's a concern that victims could get less than they're due despite the threats to their privacy and security.