TORONTO — Yahoo is facing a proposed class action on behalf of Canadians whose personal information may have been stolen, according to a notice of action filed Friday.
The $50-million claim would take in Canadians whose user account information was stolen, or whose email accounts were accessed in recent years.
According to the notice, the representative plaintiff, Natalia Karasik, of Barrie, Ont., received a letter from Yahoo on Thursday informing her that her information was part of a hack of its servers — in 2013.
Karasik, who could not immediately be reached, was unaware of the breach until she received the letter, the notice of action filed in Ontario Superior Court states. She has used email to chat about a wide range of personal information, including financial and health information, according to the notice.
“She’s been using her Yahoo email account as her exclusive email system,” lawyer Ted Charney said in an interview. “So, essentially, she’s at risk for someone having access to all of her emails and everything she’s done with her email account for a couple of years.”
Yahoo, based in Sunnyvale, Calif., did not immediately respond to a request for comment.
In September, the company sent a mass email to users to inform them that their account information had been stolen from its network in a cyberattack in late 2014. The information included email addresses, telephone numbers, dates of birth, passwords and security questions. The company said at least 500 million user accounts were affected.
This week, Yahoo alerted users to an earlier cyberattack — from August 2013 — with similar information hacked from more than one billion accounts.
“We have not been able to identify the intrusion associated with this theft,” Yahoo’s head of security Bob Lord said in an online post Dec. 14.
The company also said hackers used “forged cookie files” in separate attacks this year and last by which intruders could have accessed Yahoo user accounts.
“We have connected some of this activity to the same state-sponsored actor believed to be responsible for the data theft the company disclosed on Sept. 22, 2016,” Lord said.
The notice of action also asserts that documents filed with the Securities and Exchange Commission in November show Yahoo knew about the 2014 breach shortly after it occurred “contrary to its representations to its users.”
Toronto-based Rogers Communications, whose customers’ email accounts are “powered” by Yahoo, said it had “every reason” to believe some of them would have been affected.
“We have been in contact with Yahoo and understand they are taking steps to notify people potentially impacted,” spokesman Rogers Aaron Lazarus said in an email. “We encourage people to regularly change and set strong passwords.”
The unproven claim — which has yet to be certified as a class action or tested in any court — alleges Yahoo breached its contract with users, invaded their privacy, and unjustly enriched itself at their expense. The claim also seeks $10 million in punitive damages.
Charney said it was not necessary to prove under Canadian law that anyone actually suffered damages as a result of the hacks. Besides leaning on contract law, he noted relatively recent recognition of the wrongdoing of “intrusion upon seclusion,” which presumes damages if a privacy breach is proven.