March 5, 2021 – Lawsuit Dismissed with Leave to Amend
The judge overseeing the case detailed on this page has granted Walmart’s motion to dismiss while giving the plaintiff leave to amend his suit.
According to a March 5 order, U.S. District Judge Jeffrey S. White ruled that the plaintiff’s California Consumer Protection Act (CCPA) claim cannot stand because the plaintiff failed to allege that Walmart’s violations occurred before January 1, 2020, when the CCPA went into effect.
Moreover, the complaint did not sufficiently allege that the plaintiff’s “personal information” was disclosed, the judge wrote. Though the plaintiff generally referred to “financial information” being disclosed in a data breach, he did not allege the disclosure of a credit or debit card or account number along with the required security or access code, according to the order.
“Although the Court will draw reasonable inferences in Plaintiff’s favor at this stage, it cannot read missing allegations into the complaint,” the judge wrote.
The judge also dismissed the plaintiff’s claims for negligence, breach of contract, and violations of California’s Unfair Competition Law, ruling that the plaintiff failed to sufficiently allege injury to support his remaining claims.
More specifically, the judge wrote that the plaintiff failed to show that he suffered injury due to loss of value of his personally identifiable information, future risk of identity theft, out-of-pocket expenses for necessary credit monitoring services and loss of the benefit of his bargain.
The judge has allowed the plaintiff 21 days to amend his complaint.
A proposed class action alleges millions of Walmart accounts—and the information therein—have been offered for sale on the dark web as a result of “severe vulnerabilities” with the mega-retailer’s website.
The plaintiff, a San Francisco resident, claims his Walmart account is currently up for sale on the dark web after being “accessed by hackers” during an undisclosed data breach within the last four years. Information allegedly compromised in the breach included Walmart account holders’ full names, addresses, financial details, credit card information and other private data.
According to the 32-page complaint, myriad vulnerabilities with Walmart’s website are to blame for hackers being able to attack the retailer’s computer systems directly and access, harvest and put up for sale millions of customer accounts. The lawsuit claims Walmart “has been the target of many successful hacks” given the dark web is “replete” with stolen customer accounts.
Per the case, a scan of Walmart’s website domains using Open Web Application Security Project Zed Attack Proxy (OWASP ZAP), a widely used tool for scanning websites for security weaknesses, found at least six major vulnerabilities, including:
Seven instances in which IP addresses were being disclosed in the public website code, which may contribute to an attack on Walmart’s systems;
Forty-four instances of password autocomplete enabled, which could make matters easier for a hacker looking to breach a user’s account or aid password-extracting malware;
The cookie “No HttpOnlyFlag” being set, which can be accessed by malware and used to conduct session hijacking attempts on customer computers;
More than 8,600 instances in which cross-site scripting (XSS) was not enabled, a “very serious issue,” the lawsuit says, that could leave a site vulnerable to attacks on areas that see a high level of user interaction;
More than 93,000 instances of a cookie without the secure flag being set, which can enable cookies to be accessed through an unencrypted connection.
Subsequent scans of Walmart’s online properties, including its grocery site, using high-grade vulnerability scanners—such as the Nessus scanner—revealed numerous other vulnerabilities that could expose customers’ sensitive data, the lawsuit adds.
In all, Walmart has failed to implement and maintain reasonable security procedures and practices to safeguard the personal data of customers, the plaintiff alleges, adding that the retailer has “failed whatsoever to notify its customers that their data has been stolen.” From the case:
“As a direct and proximate result of Defendants’ wrongful actions and inaction and the resulting data breach, Plaintiff and Class Members have been placed at an imminent, immediate, and continuing risk of harm from identity theft and identity fraud, requiring them to take the time and effort to mitigate the actual and potential impact of the subject data breach on their lives by, among other things, placing ‘freezes’ and ‘alerts’ with credit reporting agencies, contacting their financial institutions, closing or modifying financial accounts, and closely reviewing and monitoring their credit reports and accounts for unauthorized activity.”
The lawsuit looks to cover all California residents who had a Walmart account at any time within the last four years.
Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s newsletter here.