Slickwraps Inc. has been hit with a proposed class action lawsuit over a February 2020 data breach that a consumer alleges stemmed from the cell phone and tablet case maker’s “comically bad” cybersecurity.
Filed in California’s Eastern District, the case explains that Slickwraps offers customers pre-made and customizable device cases. For customized cases, the suit says, customers can utilize Slickwraps’ online portal and upload their own images onto a device case. It was the defendants’ online portal, the lawsuit claims, that had a vulnerability that allowed anyone to upload any file to any location “in the highest directory” on Slickwraps’ server.
According to the lawsuit, a cybersecurity analyst known as “Lynx0x00,” reportedly investigating the defendant’s pricing practices, announced on February 21 in a now-deleted blog post that they had accessed the personal information of Slickwraps customers the previous month. As the lawsuit puts it, Slickwraps was well aware that its data security fell well below an acceptable standard yet did nothing despite the threat of its customers’ information being compromised or stolen. The lawsuit claims that those whose information was compromised by Slickwraps were the victims of “a wholly avoidable data breach” that the company had been previously informed was a possibility given its security practices.
“To say that Slickwraps ‘suffered’ a data breach is, to put it mildly, being charitable,” the complaint scathes. “Slickwraps was well aware that it had lax data security measures and did absolutely nothing to prevent the very kind of cyber security incident that occurred.”
The complaint says the vulnerability within Slickwraps’ customizer portal allowed anyone to access customer photos; all company admin account details; customer billing, shipping and email addresses; phone numbers; and transaction histories.
As the lawsuit tells it, “Lynx0x00” attempted to alert Slickwraps to the danger posed by its customizer portal vulnerability yet the company “repeatedly and brazenly ignored these warnings,” twice blocking the blogger for reaching out. What followed, the case says, was that a second hacker accessed Slickwrap customers’ personally identifiable information. The hacker allegedly emailed 377,428 customers with a notification that their information had been compromised.
The lawsuit looks to represent a nationwide class and California-only subclass of consumers whose information was compromised as a result of the Slickwraps data breach announced around February 21, 2020.