Hudson’s Bay Co. might have uncovered and stopped its recent data breach, but its problems aren’t over.
A shopper on Tuesday slapped the Saks Fifth Avenue, Saks Off 5th and Lord & Taylor operator with a $5 million proposed class action lawsuit in California federal court, accusing the company of effectively allowing the breach to occur for almost a full year due to its inadequate security and data know-how.
“The data breach was a direct and proximate result of defendants’ failure to properly safeguard and protect plaintiff’s and class members’ [private identifiable information] from unauthorized access, use and disclosure, as required by various state and federal regulations, industry practices and the common law,” shopper Antranik Mekerdijian wrote in his complaint. “The data breach was also a result of defendants’ failure to establish and implement appropriate administrative, technical and physical safeguards to ensure the security and confidentiality of plaintiffs’ and class members’ [information] to protect against reasonably foreseeable threats to the security or integrity of such information.”
Mekerdijian added that the breach compromised the information of millions of customers, including full credit and debit card numbers, e-mail and living addresses, phone numbers and social security numbers, exposing them to fraud and identity theft and forcing them to spend time and money securing their information.
Considering HBC’s “wrongful action and inaction,” Mekerdijian is accusing the company of breach of implied contract, negligence, unfair competition and deceptive business practices and invasion of privacy and seeking damages for a certified class of national shoppers of at least $5 million.
Litigation after consumer data breaches is relatively common, especially when information like social security data is accessed, but awards, if a case gets to the damages stage, can be small. Plaintiffs tend to have difficulty proving to a court that they suffered actual damages worthy of a substantial award, but settlements are often reached before a case drags on for too long.
An HBC spokeswoman declined to comment, citing a company policy on pending litigation.
The company revealed the breach over the weekend, saying it had “identified the issue and taken steps to contain it” and that it intends to offer any impacted shoppers “free identity protection services, including credit and web monitoring.”
Although HBC gave few details about the breach, Mekerdijian’s lawsuit did shed some light, including that millions of customers have been affected. He said it was first “announced” on March 28 by “a hacking syndicate called JokerStash” through its release of the records online. The breach allegedly took place over almost a year, beginning in May 2017.
He added that credit and debit card information is valuable to hackers because it can be sold for around $20 apiece and then used to “clone” the cards, as is personal information associated with the cards, which can be used to facilitate identity theft. Mekerdijian said he shopped at “several” Saks and Lord & Taylor stores during the year customer information was being siphoned.
Despite the well-known ramifications of data theft and their apparent frequency in retail, with Target, TJX Cos. Inc. and more recent Sears and Under Armour, finding their customer information compromised, Mekerdijian said HBC’s stores “opted to maintain an insufficient and inadequate system.”
For More, See: