Monday night, a federal judge rejected a settlement proposed by Yahoo in a class-action suit brought against the company after it failed to report two major data breaches that affected over 3 billion users in 2014 and 2016.
Yahoo’s proposed settlement would have paid out $50 million and provided two years of free credit monitoring services to roughly 200 million people in the US and Israel, according to Reuters.
US District Judge Lucy Koh rejected the settlement on the grounds that Yahoo had never disclosed the total size of the settlement fund or the cost of the credit monitoring services.
“The proposed notice does not disclose the costs of credit monitoring services or costs for class notice and settlement administration, and does not disclose the total size of the settlement fund,” Koh wrote in the ruling. “Without knowing the total size of the settlement fund, class members cannot assess the reasonableness of the settlement.”
It wasn’t until July 2016 that Yahoo fully disclosed the scope of the breach after it agreed to sell its internet business to Verizon for close to $5 billion. The Yahoo breaches still mark some of the largest in history, taking the first and third spots when ranked among others. The Marriott breach from last fall nearly ties Yahoo’s 2014 breach at 500 million users affected.
“Yahoo’s history of nondisclosure and lack of transparency related to the data breaches are egregious,” Koh wrote.