In a claim that appears to contradict Yahoo’s public statements on two record-setting breaches of users’ personal data, a Texas insurance agent is alleging in a just-filed class-action lawsuit that his credit card data was stolen in the hacks, leading to fraudulent charges.
Brian Neff, who owns an online insurance company based in Little Elm, Texas, said in the suit he paid Yahoo for web hosting and small-business email services.
“In addition to paying Yahoo thousands of dollars for services that subjected him to a security breach, Mr. Neff was also a victim of actual identity theft following the data breaches,” said the lawsuit filed Feb. 8 in U.S. District Court in San Jose.
“He incurred fraudulent charges on his Capital One credit card and his Chase debit card, both of which were on file with Yahoo to pay for services connected with two of his websites, with Yahoo being the only company to which Mr. Neff had provided information about both accounts.”
The suit further alleged that an unauthorized credit card account in Neff’s name was opened at Credit One Bank in 2015, with fraudulent charges made in May and June of that year.
“The probability that separate criminals stole card information from separate sources, stole the information necessary to open a new credit card account from a separate source, and made fraudulent charges on all three cards in the same month is staggeringly remote,” the lawsuit said.
Yahoo said Feb. 8 it did not comment on litigation. Whether the claimed theft of Neff’s credit and debit card information and fraudulent creation of a credit card account resulted from the firm’s data breaches remains unproven.
In the latter part of last year, Yahoo announced two record-setting hacks, of at least 500 million accounts in 2014 and of more than a billion accounts in 2013. The company also said in a Securities and Exchange Commission filing that it knew of the 2014 hack for nearly two years before revealing it.
Yahoo has issued two statements, one for each breach, concerning what might have been stolen. Both statements said email addresses, telephone numbers, dates of birth, scrambled passwords, and security questions and answers may have been taken.
Both statements said that Yahoo’s investigation indicated no payment-card data or bank account information was taken.
Regarding the 2014 hack, “payment card data and bank account information are not stored in the system that the investigation has found to be affected,” Yahoo said.
The firm’s statement on the 2013 breach is slightly less conclusive: “Payment card data and bank account information are not stored in the system the company believes was affected,” Yahoo said.
Neff’s suit accused Yahoo of negligently failing to take reasonable measures to protect users’ data, failing to prevent the data breaches, failing to notify users that Yahoo’s data-security measures were inadequate, and failing to promptly disclose it had been hacked. The firm’s actions amounted to fraudulent and deceptive business practices, according to the suit.
Neff is seeking unspecified damages, and certification of a plaintiff class made up of small-business customers of Yahoo.
The Sunnyvale tech giant is in the midst of a sale to Verizon that has been delayed, and could be scrapped, as a result of the breaches. Yahoo has said it remains committed to the sale, but Verizon said in January it’s still evaluating the larger of the two hacks.
Yahoo said in January that the sale, supposed to close in the first quarter of this year, would be delayed until the second quarter.
Analysts have predicted that if Verizon does buy Yahoo, it will be at a significant discount from the initial $4.8 billion price.
Yahoo faces at least two dozen lawsuits related to the hacks, several of which have been wrapped into one.
Photo: Yahoo CEO Marissa Mayer delivers the keynote address in February 2016 at the Yahoo Mobile Developer Conference in San Francisco. (Eric Risberg/AP)