A proposed class action alleges millions of Walmart accounts—and the information therein—have been offered for sale on the dark web as a result of “severe vulnerabilities” with the mega-retailer’s website.
The plaintiff, a San Francisco resident, claims his Walmart account is currently up for sale on the dark web after being “accessed by hackers” during an undisclosed data breach within the last four years. Information allegedly compromised in the breach included Walmart account holders’ full names, addresses, financial details, credit card information and other private data.
According to the 32-page complaint, myriad vulnerabilities with Walmart’s website are to blame for hackers being able to attack the retailer’s computer systems directly and access, harvest and put up for sale millions of customer accounts. The lawsuit claims Walmart “has been the target of many successful hacks” given the dark web is “replete” with stolen customer accounts.
Per the case, a scan of Walmart’s website domains using Open Web Application Security Project Zed Attack Proxy (OWASP ZAP), a widely used tool for scanning websites for security weaknesses, found at least six major vulnerabilities, including:
Seven instances in which IP addresses were being disclosed in the public website code, which may contribute to an attack on Walmart’s systems;
Forty-four instances of password autocomplete enabled, which could make matters easier for a hacker looking to breach a user’s account or aid password-extracting malware;
The cookie “No HttpOnlyFlag” being set, which can be accessed by malware and used to conduct session hijacking attempts on customer computers;
More than 8,600 instances in which cross-site scripting (XSS) was not enabled, a “very serious issue,” the lawsuit says, that could leave a site vulnerable to attacks on areas that see a high level of user interaction;
More than 93,000 instances of a cookie without the secure flag being set, which can enable cookies to be accessed through an unencrypted connection.
Subsequent scans of Walmart’s online properties, including its grocery site, using high-grade vulnerability scanners—such as the Nessus scanner—revealed numerous other vulnerabilities that could expose customers’ sensitive data, the lawsuit adds.
In all, Walmart has failed to implement and maintain reasonable security procedures and practices to safeguard the personal data of customers, the plaintiff alleges, adding that the retailer has “failed whatsoever to notify its customers that their data has been stolen.” From the case:
“As a direct and proximate result of Defendants’ wrongful actions and inaction and the resulting data breach, Plaintiff and Class Members have been placed at an imminent, immediate, and continuing risk of harm from identity theft and identity fraud, requiring them to take the time and effort to mitigate the actual and potential impact of the subject data breach on their lives by, among other things, placing ‘freezes’ and ‘alerts’ with credit reporting agencies, contacting their financial institutions, closing or modifying financial accounts, and closely reviewing and monitoring their credit reports and accounts for unauthorized activity.”
The lawsuit looks to cover all California residents who had a Walmart account at any time within the last four years.
Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s newsletter here.