ebook img

In Re Yahoo! Inc. Securities Litigation 17-CV-00373-First Amended Class Action Complaint for PDF

108 Pages·2017·0.86 MB·English
by  
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview In Re Yahoo! Inc. Securities Litigation 17-CV-00373-First Amended Class Action Complaint for

Case 5:17-cv-00373-LHK Document 28 Filed 06/07/17 Page 1 of 108 1 POMERANTZ LLP Jeremy A. Lieberman (pro hac vice) 2 Emma Gilmore (pro hac vice) 3 600 Third Avenue New York, NY 10016 4 Telephone: (212) 661-1100 E-mail: Case 5:17-cv-00373-LHK Document 28 Filed 06/07/17 Page 2 of 108 TABLE OF CONTENTS 1 NATURE OF THE ACTION ................................................................................................................... 1  2 JURISDICTION AND VENUE ............................................................................................................... 4  3 PARTIES .................................................................................................................................................. 5  4 SUBSTANTIVE ALLEGATIONS .......................................................................................................... 5  5 6 Background ................................................................................................................................... 5  Private Information Is Valuable to Criminals ............................................................................... 6  7 Yahoo Was Required to Timely and Accurately Disclose All of Its Security Vulnerabilities ... 10  8 During the Class Period, Yahoo Struggled to Stay Afloat.......................................................... 16  9 Despite Being Repeatedly Hacked During the Class Period, Yahoo Refused to Invest 10 in Needed Security Upgrades .......................................................................................... 21  The 2013 Data Breach ................................................................................................................ 28  11 The 2014 Data Breach ................................................................................................................ 32  12 The Forged Cookie Data Breach ................................................................................................. 37  13 Defendants Had Contemporaneous Knowledge of the Breaches ............................................... 38  14 Yahoo Is Assailed for Failure to Fulfill Its Disclosure Obligations ........................................... 44  15 The Breaches Jeopardized Yahoo’s Transaction with Verizon .................................................. 48  16 Yahoo Faces Significant Financial Exposure and Reputational Harm ....................................... 50  Materially False and Misleading Statements Issued During the Class Period ............................ 51  17 A.  False and Misleading Statements Made in 2013................................................. 52  18 B.  False and Misleading Statements Made in 2014................................................. 57  19 C.  False and Misleading Statements Made in 2015................................................. 68  20 D.  False and Misleading Statements Made in 2016................................................. 77  21 The Truth Begins to Emerge ....................................................................................................... 84  22 ADDITIONAL SCIENTER ALLEGATIONS ....................................................................................... 95  23 PLAINTIFFS’ CLASS ACTION ALLEGATIONS ............................................................................... 98  24 COUNT I .............................................................................................................................................. 101  Violation of Section 10(b) of the Exchange Act and Rule 10b-5 Against All Defendants ...... 101  25 COUNT II ............................................................................................................................................. 103  26 Violation of Section 20(a) of the Exchange Act Against The Individual Defendants .............. 103  27 PRAYER FOR RELIEF ....................................................................................................................... 104  28 FIRST AMENDED CLASS ACTION COMPLAINT FOR VIOLATIONS OF THE FEDERAL SECURITIES LAWS Case No. 17-CV-00373 (LHK) i Case 5:17-cv-00373-LHK Document 28 Filed 06/07/17 Page 3 of 108 Lead Plaintiffs Ben Maher (“Maher”) and Sutton View Partners LP (“Sutton View”), and named 1 plaintiff Nafiz Talukder (“Talukder”) (collectively, “Plaintiffs”), on their behalf and on behalf of all 2 3 other persons similarly situated, by Plaintiffs’ undersigned attorneys, for Plaintiffs’ complaint against 4 Defendants (defined below), allege the following based upon personal knowledge as to Plaintiffs and 5 Plaintiffs’ own acts, and information and belief as to all other matters, based upon, inter alia, the 6 investigation conducted by and through Plaintiffs’ attorneys, which included, among other things, a 7 review of the Defendants’ public documents, conference calls and announcements made by Defendants, 8 9 United States Securities and Exchange Commission (“SEC”) filings, federal indictments, wire and press 10 releases published by and regarding Yahoo! Inc. (“Yahoo” or the “Company”), analysts’ reports and 11 advisories about the Company, and information readily obtainable on the Internet. Plaintiffs believe 12 that substantial evidentiary support will exist for the allegations set forth herein after a reasonable 13 opportunity for discovery. 14 15 NATURE OF THE ACTION 16 1. This is a federal securities class action on behalf of a class consisting of all persons other 17 than Defendants who purchased or otherwise acquired Yahoo securities between April 30, 2013 and 18 December 14, 2016, both dates inclusive (the “Class Period”). Plaintiffs seek to recover compensable 19 damages caused by Defendants’ violations of the federal securities laws and to pursue remedies under 20 Sections 10(b) and 20(a) of the Securities Exchange Act of 1934 (the “Exchange Act”) and Rule 10b-5 21 22 promulgated thereunder. 23 2. This action involves Defendants’ brazen failure to disclose the two largest data breaches 24 in U.S. history, in which hackers stole the records of more than one billion users in 2013 and 25 compromised the accounts of 500 million users in 2014 and caused financial harm to its investors. 26 Defendants also failed to disclose two additional massive data breaches in 2015 and 2016, which 27 28 affected approximately 32 million Yahoo users and caused financial harm to its investors. Case 5:17-cv-00373-LHK Document 28 Filed 06/07/17 Page 4 of 108 3. Yahoo’s products and services involve the storage and transmission of Yahoo’s users’ 1 and customers’ personal and proprietary information, including the users’ names, email addresses, 2 3 telephone numbers, birth dates, passwords, social security numbers, security questions linked to a user’s 4 account, and credit and/or debit card information. Yahoo trumpets its access to users’ private 5 information in an effort to appeal to advertisers through its ability to conduct targeted advertisements. 6 While a user’s private information is indispensable and the most valuable asset to Yahoo’s business, it 7 is also “as good as gold” to identity thieves, who exploit it for a variety of nefarious reasons, including 8 9 draining the bank accounts of the victims whose information they misappropriated, claiming their 10 disability benefits, obtaining a driver license in their name, and committing tax fraud. 11 4. During the Class Period, Yahoo repeatedly warned in its public filings that cybersecurity 12 attacks represented a material operating risk, warning that “[i]f our security measures are breached, our 13 products and services may be perceived as not being secure, users and customers may curtail or stop 14 15 using our products and services, and we may incur significant legal and financial exposure.” 16 Understanding the gravity of identity theft, Defendants publicly acknowledged that “there is nothing 17 more important to [Yahoo] than protecting our users’ privacy.” To that end, Yahoo proclaimed on its 18 official website that “[t]ime is of the essence when we discover” security vulnerabilities and 19 “commit[ed] to publicly disclos[e] . . . [on its website] the vulnerabilities we discover within 90 days.” 20 21 Indeed, almost every state in the country makes it illegal for any company to improperly delay notifying 22 customers of data breaches because companies have little to no incentive to disclose hacks voluntarily, 23 given the financial and reputational harm a security breach can cause. Similarly, the Securities and 24 Exchange Commission requires “timely, comprehensive, and accurate information” about cybersecurity 25 incidents, particularly where a registrant experienced a cyber attack compromising customer data. 26 5. Defendants recently admitted they had contemporaneous knowledge of the breaches: 27 28 “the Company’s information security team had contemporaneous knowledge of the 2014 compromise FIRST AMENDED CLASS ACTION COMPLAINT FOR VIOLATIONS OF THE FEDERAL SECURITIES LAWS Case No. 17-CV-00373 (LHK) 2 Case 5:17-cv-00373-LHK Document 28 Filed 06/07/17 Page 5 of 108 of user accounts, as well as incidents by the same attacker involving cookie forging in 2015 and 2016. 1 In late 2014, senior executives and relevant legal staff were aware that a state-sponsored actor had 2 1 3 accessed certain user accounts by exploiting the Company’s management tool.” Despite their 4 contemporaneous knowledge of the massive breaches plaguing Yahoo during the Class Period, 5 Defendants misled investors through their repeated assurances that “Yahoo! takes your privacy 6 seriously,” Yahoo has “physical, electronic, and procedural safeguards that comply with federal 7 regulations to protect [users’] personal information,” “we implemented the latest in security best- 8 9 practices,” and “the bad guys who [in the past] have used email spoofing to forge and launch phishing 10 attempts . . . were nearly stopped in their tracks,” all the while failing to disclose the massive data 11 breaches threatening the privacy and security of nearly one billion customers. 12 6. Defendants had every reason to keep the breaches under wraps. The concealment 13 enabled Yahoo to maintain its user base and a needed stream of revenues at a time when the Company’s 14 15 financial performance was severely deteriorating. For example, while all online advertising revenue in 16 the U.S. increased by 16.9% year over year in Q3 2014 to $12.4 billion, Yahoo’s gross advertising 17 revenues declined by 1.3% to 4.61 billion. This lackluster performance prompted repeated calls for 18 Yahoo to sell itself. But even as it was finalizing a sale of its core business to Verizon in 2016, Yahoo 19 falsely represented in a regulatory filing on September 9, 2016, that “there have not been any incidents 20 21 of, or third-party claims alleging, (i) Security Breaches, unauthorized access or unauthorized use of any 22 of Seller’s or the Business Subsidiaries’ information technology systems or (ii) loss, theft, unauthorized 23 access or acquisition, modification, disclosure, corruption, or other misuse of any Personal Data” in 24 Yahoo’s possession. Since the breaches came to light, Verizon has threatened to walk out of the deal. 25 More recently, Verizon has successfully renegotiated a $ 350 million price reduction and has required 26 Yahoo to pay 50% of post-closing cash liabilities related to the data breaches. 27 28 1 Unless otherwise stated, all emphases are added. FIRST AMENDED CLASS ACTION COMPLAINT FOR VIOLATIONS OF THE FEDERAL SECURITIES LAWS Case No. 17-CV-00373 (LHK) 3 Case 5:17-cv-00373-LHK Document 28 Filed 06/07/17 Page 6 of 108 7. Yahoo’s silence in the face of a duty to disclose angered not only investors, but U.S. 1 senators as well, who called the Company’s conduct “unacceptable” and questioned its “truthfulness in 2 3 representations to the public.” When the market learned of the data breaches through a series of 4 corrective disclosures, Yahoo’s shares plummeted by over 31%, significantly harming investors. 5 Moreover, during the Class Period, Yahoo’s core business declined by billions of dollars, leaving 6 investors exposed to inaccurate assumptions as a result of Defendants’ failure to disclose the data 7 breaches, and inflicting additional harm on investors. 8 9 8. As a result of its misconduct, Yahoo is the subject of numerous U.S. and foreign 10 government investigations, including by the SEC, the Federal Trade Commission and other federal, 11 state, and foreign governmental officials and agencies, including a number of State Attorneys General, 12 and the U.S. Attorney’s office for the Southern District of New York, and is facing no fewer than 43 13 consumer class actions. 14 15 JURISDICTION AND VENUE 16 9. The claims asserted herein arise under and pursuant to §§10(b) and 20(a) of the 17 Exchange Act (15 U.S.C. §§78j(b) and §78t(a)) and Rule 10b-5 promulgated thereunder by the SEC (17 18 C.F.R. §240.10b-5). 19 10. This Court has jurisdiction over the subject matter of this action under 28 U.S.C. §1331 20 and §27 of the Exchange Act. 21 22 11. Venue is proper in this Judicial District pursuant to §27 of the Exchange Act (15 U.S.C. 23 §78aa) and 28 U.S.C. §1391(b). Yahoo’s principal executive offices are located within this Judicial 24 District. 25 12. In connection with the acts, conduct and other wrongs alleged in this Complaint, 26 Defendants, directly or indirectly, used the means and instrumentalities of interstate commerce, 27 28 FIRST AMENDED CLASS ACTION COMPLAINT FOR VIOLATIONS OF THE FEDERAL SECURITIES LAWS Case No. 17-CV-00373 (LHK) 4 Case 5:17-cv-00373-LHK Document 28 Filed 06/07/17 Page 7 of 108 including but not limited to, the United States mail, interstate telephone communications and the 1 facilities of the national securities exchange. 2 3 PARTIES 4 13. Plaintiffs, as set forth in the Certifications previously filed with the Court, purchased 5 Yahoo securities at artificially inflated prices during the Class Period and were damaged upon the 6 revelation of the alleged corrective disclosures. 7 14. Defendant Yahoo! Inc. is incorporated in Delaware, and the Company’s principal 8 9 executive offices are located at 701 First Avenue, Sunnyvale, California, 94089. Yahoo’s common 10 stock trades on the NASDAQ under the ticker symbol “YHOO.” 11 15. Defendant Marissa A. Mayer (“Mayer”) has served at all relevant times as the 12 Company’s Chief Executive Officer (“CEO”) and a member of the Company’s Board of Directors. 13 16. Defendant Ronald S. Bell (“Bell”) served as General Counsel and Secretary of Yahoo 14 from August 13, 2012 until March 1, 2017. Bell served as Vice President at Yahoo from 2001 until 15 16 March 1, 2017. He served as Deputy General Counsel of the Americas Region from March 2010 to 17 July 2012. 18 17. Defendant Alex Stamos (“Stamos”) served as Yahoo’s Chief Information Security 19 Officer from March 10, 2014 to approximately June 30, 2015. Stamos reported directly to Defendant 20 Mayer. 21 22 18. The Defendants referenced above in ¶¶15-17 are sometimes referred to herein as the 23 “Individual Defendants.” 24 SUBSTANTIVE ALLEGATIONS 25 Background 26 19. Yahoo, together with its subsidiaries, is a multinational technology company that 27 provides a variety of internet services, including, inter alia, a web portal, search engine, Yahoo! Mail, 28 FIRST AMENDED CLASS ACTION COMPLAINT FOR VIOLATIONS OF THE FEDERAL SECURITIES LAWS Case No. 17-CV-00373 (LHK) 5 Case 5:17-cv-00373-LHK Document 28 Filed 06/07/17 Page 8 of 108 Yahoo! News, Yahoo! Finance, sports, advertising, and a microblogging and social networking website, 1 Tumblr. As of February 2016, Yahoo had an estimated 1 billion monthly active users. To utilize 2 3 Yahoo’s services, users must setup user account(s), which requires users to provide Yahoo with private, 4 personal information. 5 20. Yahoo derives most of its revenue from advertising through search, display, and native 6 advertising, including mobile advertising. Critical to Yahoo’s appeal to advertisers is their ability to 7 target advertisements to users based upon their personal information. Yahoo prominently features this 8 9 ability to collect information, target specific demographics, and track users’ browsing and offline habits 10 in its pitch to advertisers. 11 21. Accordingly, as part of its business, Yahoo collects and stores large volumes of private 12 information about its users, including the users’ names, email addresses, telephone numbers, birth 13 dates, passwords, social security numbers, information about assets, and security questions linked to a 14 15 user’s account (“Private Information”). Yahoo requires this information in order to create an account 16 and/or for its financial products and services. 17 22. During the Class Period, Yahoo represented that “protecting our systems and our users’ 18 information is paramount to ensuring Yahoo users enjoy a secure user experience and maintaining our 19 2 users’ trust.” Yahoo vouched that “[w]e have physical, electronic, and procedural safeguards that 20 3 21 comply with federal regulations to protect personal information about you.” 22 Private Information Is Valuable to Criminals 23 23. It is well known and the subject of many media reports that Private Information is highly 24 coveted and a frequent target of hackers. Legitimate organizations and criminals alike recognize the 25 value of Private Information. Otherwise, they would not aggressively seek or pay for it. For example, 26 2 27 Security at Yahoo, Yahoo!, https://policies.yahoo.com/us/en/yahoo/privacy/topics/security/index. htm. 28 3 Id. FIRST AMENDED CLASS ACTION COMPLAINT FOR VIOLATIONS OF THE FEDERAL SECURITIES LAWS Case No. 17-CV-00373 (LHK) 6 Case 5:17-cv-00373-LHK Document 28 Filed 06/07/17 Page 9 of 108 in “one of 2013’s largest breaches [involving a leading software company] . . . not only did hackers 1 compromise the [card holder data] of three million users, they also took registration data from 38 2 4 3 million users.” Similarly, in the data breach of Target Corporation, between November 27 and 4 December 15, 2013, hackers stole personal information of as many as 70 million people, including 5 customer names, mailing addresses, phone numbers, credit or debit card numbers, and the card’s 6 expiration date and CVV (card verification value). “Increasingly, criminals are using biographical data 7 5 gained from multiple sources to perpetrate more and larger thefts.” 8 9 24. Private Information is “as good as gold” to identity thieves, in the words of the Federal 10 6 Trade Commission (“FTC”). Identity theft occurs when someone uses another’s personal identifying 11 information, such as that person’s name, address, credit card number, credit card expiration date, and 12 other information, without permission, to commit fraud or other crimes. The FTC estimates that as 13 many as 10 million Americans have their identities stolen each year. As the FTC recognizes, once 14 15 identity thieves have private information, “they can drain your bank account, run up charges on your 16 7 credit cards, open new utility accounts, or get medical treatment on your health insurance.” 17 25. According to Javelin Strategy and Research, “1 in 4 data breach notification recipients 18 8 became a victim of identity fraud.” Nearly half (46%) of consumers with a breached debit card 19 became fraud victims within the same year. 20 21 26. Identity thieves can use Private Information to perpetrate a variety of crimes. For 22 instance, they may commit various types of fraud upon the U.S. government, such as: immigration 23 4 Verizon 2014 PCI Compliance Report, http://www.nocash.info.ro/wp-content/uploads/2014/02/ Verizon_pci-report-2014.pdf (hereafter “2014 Verizon Report”), at 54. 24 5 Id. 25 6 FTC Interactive Toolkit, Fighting Back Against Identity Theft, http://www.dcsheriff.net/community/documents/id-theft-tool-kit.pdf. 26 7 FTC, Signs of Identity Theft, available at http://www.consumer.ftc.gov/articles/ 0271-signs-identity- 27 theft. 8 2013 Identity Fraud Report: Data Breaches Becoming a Treasure Trove for Fraudsters, 28 http://www.javelinstrategy.com/brochure/276 (the “2013 Identity Fraud Report”). FIRST AMENDED CLASS ACTION COMPLAINT FOR VIOLATIONS OF THE FEDERAL SECURITIES LAWS Case No. 17-CV-00373 (LHK) 7 Case 5:17-cv-00373-LHK Document 28 Filed 06/07/17 Page 10 of 108 fraud; obtaining a driver’s license or identification card in the victim’s name but with another’s picture; 1 using the victim’s information to obtain government benefits; or filing a fraudulent tax return using the 2 3 victim’s information to obtain a fraudulent refund. 4 27. Additionally, identity thieves may obtain medical services using consumers’ 5 compromised private information or commit any number of other frauds, such as obtaining a job, 6 procuring housing, or even giving false information to police during an arrest. 7 28. As depicted in the chart below, a hacked email account gives criminals access to a 8 9 9 treasure trove of Private Information: 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 29. According to Steve Grobman, chief technology officer for Intel Security, email accounts 25 are a jackpot for criminals, as they often contain passwords for financial and workplace accounts, 26 information about investments, and details about the work projects and business plans of anyone from 27 9 Brian Krebs, The Value of a Hacked Email Account, KrebsonSecurity (June 13, 2013), 28 http://www.krebsonsecurity.com/2013/06/the-value-of-a-hacked-email-account. FIRST AMENDED CLASS ACTION COMPLAINT FOR VIOLATIONS OF THE FEDERAL SECURITIES LAWS Case No. 17-CV-00373 (LHK) 8

See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.