Online dating service Zoosk and its parent group face a proposed class action over a May 2020 data breach that affected at least 13 companies and compromised more than 200 million user records.
According to the 27-page lawsuit, Zoosk and parent company Spark Networks SE, also a defendant, took the biggest hit during the incident, with a group of hackers calling itself the “ShinyHunters” making off with the sensitive data of 30 million users. The plaintiffs, California Zoosk users, allege the defendants failed to adequately safeguard proposed class members’ sensitive data and maintain proper measures to detect hacking and intrusion.
“According to its notice to affected customers, Zoosk did not learn that its customer records were stolen until the hack was publicly reported,” the complaint reads. “As explained below, Zoosk should have had breach detection protocols in place. If it had, it could have learned of the breach and alerted customers much sooner.”
In a May 11 notice to affected users, Zoosk relayed that it learned an unknown third party claimed to have accessed certain member information, the case says. More than three weeks later, and more than a month after the data breach occurred, Zoosk notified affected users that their personal information had been disclosed to “unauthorized and malicious” third parties, according to the suit.
To date, Zoosk has acknowledged the user information disclosed in the incident includes names, email addresses, birth dates, generalized demographic information, genders, gender search preferences and password details, the lawsuit says, alleging violations of the California Consumer Privacy Act (CCPA). Though Zoosk claims an investigation remains ongoing into the data breach, proposed class members’ sensitive data has already been stolen, viewed and put up for sale on the dark web, which cannot be undone, the complaint asserts.
Noted in the complaint is that Spark Networks SE operates a number of online dating sites in addition to Zoosk that, upon information and belief, share a common user database. It is unclear at this time whether data from Spark Networks’ other sites were compromised in the May 2020 Zoosk incident, the lawsuit says.
According to the suit, the Zoosk app has been downloaded 38 million times since January 2014, with more than half of those occurring in the United States. San Francisco-based Zoosk was acquired by Berlin-based Spark Networks in July 2019, the case says.
The lawsuit argues the data breach was “a reasonably foreseeable consequence” of the defendants’ subpar security systems.
“Defendant Zoosk, is valued at $258 Million Dollars, has the resources to implement reasonable security systems to prevent or limit damage from data breaches,” the plaintiffs contend. “Even so, it failed to properly invest in its data security.”
Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s newsletter here.