A proposed class action lawsuit has been filed against cbdMD, Inc. and CBD Industries, LLC over two data breaches that reportedly occurred between March and May 2020.
According to the case, the defendants’ failure to safeguard customers’ personal and financial data allowed the information to be exposed to unauthorized third parties and has placed affected customers at a heightened risk of identity theft and fraud.
“The criminals obtained everything they needed to illegally use CBD’s customers’ payment cards to make fraudulent purchases, and to commit myriad financial crimes and fraud,” the complaint scathes.
The lawsuit alleges the defendants, who sell hemp products used for pain relief and general health for both humans and pets, notified the U.S. Securities and Exchange Commission (SEC) on September 25, 2020 that an unauthorized party had modified the ecommerce platform underlying cbdmd.com to include “malicious code” that “scraped” customers’ personal identifying information (PII) from the site.
On September 29, CBD sent notice to several states’ attorneys general specifying that two data breaches had occurred “from March 30, 2020, through May 8, 2020, and May 14, 2020, through May 18, 2020,” the suit relays.
Per the case, the “scraped” information included customers’ names, addresses, email addresses, payment card numbers, CVV security codes, credit card expiration dates and bank account numbers.
In data breach notices sent to affected customers days after the companies’ stockholders were notified, the defendants offered only 12 months of “identity monitoring” and failed to “admit to improving or securing their ecommerce platform,” much less provide any details of their investigation into the security events, the suit says.
The case asserts that CBD customers’ private information “is likely for sale on the dark web” to criminals who intend to use the information to commit fraud and steal customers’ identities.
“This means that the Data Breaches were successful,” the complaint states, adding that the defendants should have been prepared to defend against security breaches given the FBI issued a warning in October 2019 “about this exact type of fraud” and how companies could combat it.
According to the suit, the breaches occurred as a result of CBD’s failure to implement reasonable security procedures and practices appropriate to the nature of the information they collected from customers.
Both of the plaintiffs, who each purchased products from the defendants’ website, claim they experienced fraud as a result of the data breaches. While one plaintiff had over $1,300 transferred from his checking account by an unauthorized party, the other was forced to stop a $452.54 charge on his debit card at a Best Buy in another city, according to the complaint. The plaintiffs say they’ve been forced to spend time dealing with the consequences of the data breach and are “very concerned” about the potential for more fraudulent activity and identity theft in the future.
Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s newsletter here.