A proposed class action has been filed in Ohio over a breach of CenturyLink’s MongoDB-operated database containing more than 2.8 million customer records. The lawsuit claims that while defendants CenturyLink, Inc. and MongoDB, Inc. became aware of a security flaw in the database in September 2019, the companies waited until November to inform those whose personally identifiable information was compromised.
The 23-page case explains that CenturyLink maintains a database of customer records containing certain account information. CenturyLink’s database, which is created, operated and controlled by MongoDB, allegedly includes customer names, email and physical addresses, phone numbers, and the contents of email correspondence with the company. The complaint points out that while MongoDB operated the database, CenturyLink exercised “significant control and authority” with regard to the security of the information contained therein.
According to the lawsuit, security researcher Bob Diachenko discovered on September 15, 2019 that the contents of CenturyLink’s MongoDB-operated database were “made publicly available such that no authentication was required to access it.” The complaint states that although Diachenko informed CenturyLink of the data breach on the same day it was discovered, the data had already been exposed for roughly 10 months. The plaintiffs allege CenturyLink and MongoDB’s failure to “adopt, implement, maintain and enforce” suitable data security procedures is to blame for the breach.
The plaintiffs say CenturyLink only notified proposed class members that its database had been accessed without authorization on November 19, 2019. Particularly concerning, the case says, is that the plaintiffs each have a CenturyLink email account that’s linked to other accounts associated with various websites. By obtaining access to the plaintiffs’ CenturyLink email accounts, unauthorized third parties have been able to access the consumers’ LifeLock, Facebook, and Amazon accounts, the suit alleges. Further, the plaintiffs claim they have been unable to access their online CenturyLink billing accounts “for several months” and have received phishing emails that contained personalized information.
The lawsuit contends that proposed class members, as a result of the data breach, now face an increased risk of harm due to potential fraud and identity theft.