Due to an alleged failure to put in place appropriate security measures to safeguard protect personal information, online design marketplace Minted Inc. is facing a class action lawsuit for breaching the California Consumers’ Privacy Act.
The proposed class action lawsuit was filed in San Francisco federal court last Thursday (June 11, 2020), and follows the company making public, during May, that unauthorized individuals had obtained access to the names and account login details of clients. The action was submitted, on behalf of the plaintiffs whose personal information was compromised in the breach, sued under the California Consumer Privacy Act.
It is thought that the personal data of approximately five million Minted users’ was stolen in the breach. Minted allows customers to place use orders for art, holiday cards, and wedding invitations using community-created graphic designs. On the same day that the breach occurred hacking group, Shiny Hunters, released a claim stating that they had stolen the private data of five million user accounts. They made the data available for a price of $2,500 on an underground forum.
In the breach notification published on the Minted.com website, it was revealed that the range of stolen information incorporated customer names and login credentials, specifically email addresses and hashed and salted passwords along with telephone numbers, billing addresses, shipping addresses, and birth dates, may have also been impacted.
In the filing the two plaintiffs, Melissa Atkinson and Katie Renvall, claimed that the group failed in its duty under CCPA legislation to properly safeguard personally identifiable information. It was claimed that the company could have avoided this breach occurring if it had invested in adequate security measures.
CCPA laws are applicable to companies that have gross annual revenues in excess of $25 million, companies sharing the data of more than 50,000 clients, or companies that earn 50% or more of their revenues from trading protected personal data, which for purposes of the law has a vague definition. Due to this businesses must share their data collection and sharing practices and allow consumers to delete their personal information if they so wish. Along with this, consumers must also be given the chance to opt-out of the sale of their data.
CCPA penalties are $2,500 for each unintentional violation or $7,500 for each intentional violation after notice and a 30-day opportunity to address the issue. Penalties sought under a private right of action range from $100 to $750 per violation.