A proposed class action has been filed against Claire’s Stores, Inc. and CBI Distributing Corp. over a data breach that allegedly resulted in the unauthorized disclosure and use of online customers’ personal and financial information.
According to the case out of Cook County, Illinois Circuit Court, the jewelry and fashion accessories retailer learned in June 2020 that an unauthorized person had added to Claire’s website a computer code that “was capable of obtaining information entered by customers during the checkout process and sending that information out of our system.”
The compromised information, the suit says, included the first and last names; addresses; email addresses; phone numbers; payment card numbers, expiration dates, and verification codes; Claire’s account passwords; and gift card numbers and PINs, if applicable, of anyone who shopped on Claire’s website between April 7 and June 12, 2020.
The lawsuit argues that Claire’s failed to take necessary safety precautions to protect customers’ personal information, which can now and in the future be sold to fraudsters and identity thieves.
“This extremely sensitive data should have received the most rigorous protection available, but it did not,” the complaint reads.
Per the lawsuit, reports began surfacing in June 2020 that Claire’s had experienced a cyber intrusion on its e-commerce platform by hackers usingMagecart tactics. The suit says the intruders infiltrated Claire’s Salesforce Commerce Cloud environment “for at least seven weeks” while customers’ private information was exfiltrated “into the hands of unauthorized persons.”
Claire’s not only failed to implement sufficient security measures to protect customers’ “extremely sensitive and private data” but waited almost a full month after learning of the breach to send notice to affected customers in a letter dated July 7, according to the case. As the lawsuit tells it, the perpetrators of the breach came up against little resistance from the defendant’s cybersecurity barriers.
From the complaint:
“It appears it was not difficult for a thief or a hacker to exploit Defendants’ lax security and exfiltrate the Personal Information right under Defendants’ noses, as Defendants failed to discover the intrusion for over one month and then waited roughly another month, at minimum, before providing any notice to the affected customers.”
At the time the lawsuit was filed, the defendants’ websites, including Claire’s online “Press Room,” contained no information pertaining to the breach, the complaint adds.
The case goes on to decry Claire’s offer of one year of identity theft insurance, claiming such is “woefully inadequate” to address the continued risk of identity theft and fraud faced by affected customers. According to the plaintiff, neither the identity theft insurance offer nor Claire’s warnings that customers should review their accounts and report any unauthorized charges to their banks require the defendants to “expend any material effort, or take reasonable measures” to protect customers’ personal information.
Instead, Claire’s has placed the burden to discover and rectify fraudulent charges and identity theft squarely on customers, the suit contends.
“Defendants’ failure to adequately protect Plaintiff’s and Class Members’ Personal Information has resulted in Plaintiff and Class Members having to undertake protective and mitigating measures, which require extensive amounts of time, calls, and, for many of the more adequate credit and fraud protection services, payment of money—while Defendants sit by and do nothing to assist those affected by the Data Breach,” the lawsuit reads, adding that while some harms have been experienced already, “the worst may be yet to come.”
After receiving a data breach letter from the defendants, the plaintiff noticed a “substantial increase in spam/phishing calls” in which the callers would attempt to learn additional personal information about the woman, according to the case.
“Since the Data Breach occurred, Plaintiff has been receiving these calls on a daily basis, often multiple calls per day,” the suit says, adding that the plaintiff has spent hours of additional time monitoring her financial accounts and mitigating the risks of fraud and identity theft.
The plaintiff looks to represent anyone in the U.S. whose personal information was compromised as a result of the data breach disclosed by Claire’s around July 7, 2020, with a proposed subclass of Pennsylvania residents.
Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s newsletter here.