Online Design Marketplace Minted Sued Under New California Consumer Privacy Law
MoginRubin Files Class Action Alleging Damages to Millions of Consumers in Wake of Recent Data Breach
SAN FRANCISCO – June 15, 2020 – Customers whose private information was stolen by hackers in a massive data breach by a group called the Shiny Hunters have filed a class action lawsuit against Minted Inc., an online marketplace for crowdsourced home goods, art and stationery.
The complaint against the San Francisco-based company was filed on June 11, 2020, by San Diego-based law firm MoginRubin LLP in the U.S. District Court for the Northern District of California. The suit, one of the first California Consumer Privacy Act cases filed in federal court, alleges that Minted violated the CCPA when it failed to implement and maintain reasonable security procedures and practices, and ultimately exposed the data of millions of its customers.
The Shiny Hunters hacking group obtained customers’ personally identifiable information from Minted’s user database on May 6, 2020, and later attempted to sell 5 million of the records. Minted allegedly “became aware of a report that mentioned Minted as one of 10 companies impacted by a potential cybersecurity incident” on May 15, 2020, according to a notice to the company’s customers. Affected customers were not notified that PII including names, email addresses, scrambled passwords, phone numbers and shipping addresses, had been disclosed to unauthorized and malicious third parties until May 28, 2020. Minted asserted that it had “no reason to believe that…payment or credit card information, address book information, photos or personalized information” were stolen, but has not confirmed that is the case, nor justified its reasoning for that belief.
The consumers are represented by Dan Mogin, Jennifer Oliver and Timothy LaComb of MoginRubin. In addition to a request for compensatory, statutory and punitive damages, plaintiffs are asking the court to order Minted to implement reasonable security procedures and practices to protect customers’ PII.
“Minted’s privacy policy assures Minted customers that their PII is secure,” Oliver said. “Despite these assurances and the significant benefit Minted receives by collecting and maintaining customer PII, the company failed to reasonably protect this personal information, allowing hackers to run roughshod over its system.”
Given the PII it maintains, Minted allegedly failed to maintain reasonable security controls as required by the California Consumer Privacy Act and other common and statutory laws. For example, the passwords the hackers obtained had been hashed and salted – which offered a certain level of protection – but can still be accessed and used by skilled hackers. Minted also allegedly failed to maintain proper breach detection capabilities, as evidenced by the fact that the company learned of the theft of millions of customer records in a public report and did not notify consumers until 22 days later. Had the company proactively engaged in appropriate protocols, customers could have been alerted much more quickly.
“While Minted claims that it is continuing to investigate the incident and has since enhanced its security, the fact is the viewing, theft and attempted sale of California consumers’ PII on the dark web can never be undone,” Oliver said. “Once the data has been compromised and the victims’ sensitive information exposed, it’s too late.”
The case is Atkinson v. Minted, Inc., N.D. Cal., No. 3:20-cv-03869. A copy of the complaint will be provided upon media request and the plaintiffs’ attorneys are available for interviews.
Read the official press release on PR Web here.