A class action lawsuit brought against StockX, Inc. on behalf of an unnamed minor alleges the online retailer negligently failed to safeguard customers’ personally identifiable information (PII) and then fraudulently attempted to conceal a data breach affecting more than 6.8 million users.
StockX is an online e-commerce platform that specializes in fashionable clothing with a particular emphasis on high-end sneakers. The platform functions in a similar way to the stock market with each product being assigned a ticker symbol. Sellers will then offer up their asking prices and buyers will bid on items, the lawsuit says. StockX requires all users to register for an account, for which they must provide their name and email address and come up with a username and password, according to the case.
On August 1, 2019, StockX sent out an email in which it prompted users to update their usernames and passwords due to “recently completed system updates,” the lawsuit says. The case claims, however, that this email was actually sent to mitigate the damage from a recent hack of StockX during which an unauthorized third party gained access to the defendant’s system. Several days after the breach, the hacker who stole proposed class members’ information listed the account details of approximately 6.8 million users for sale on the dark web, the complaint states.
The technology website TechCrunchreported the breach on August 3 after an “unnamed data breached [sic] seller” contacted the publication and provided a sample of StockX user data being sold on the dark web. TechCrunch says it verified this information by contacting the customers to whom the stolen information belonged. After the TechCrunch article was published, StockX sent out a second email in which confirmed that the breach had occurred and was the impetus behind their previous email requiring users to update their account information, the suit says.
According to the suit, the stolen information is already being used fraudulently. The case includes an account of one alleged instance in which a pair of Jordan 1 sneakers was bought for $23,000 using stolen account information.
“The PII that plaintiff and the class entrusted to StockX has been stolen, sold and purchased by criminals who will seek and have already sought to misuse it,” the case states.
More concerning than the breach itself is the number of minors affected by the hack. According to the suit, StockX is very popular with teenagers, and teen boys in particular are responsible for a large share of the platform’s revenue. Co-founder Dan Gilbert even credits his son and his teenage friends’ interest in buying sneakers as a major reason he helped found StockX. The suit contends that due to their age, the class of minors it seeks to represent are not bound by StockX’s class-waiver and forced-arbitration clauses and are therefore eligible to sue.
Several other lawsuits have been filed against StockX over the data breach, including one filed in Florida back in May.
The suit seeks to cover all minors in the United States who provided StockX with PII and whose information was exposed in the alleged breach.