Live Auctioneers Hit with Class Action Over Data Breach Reportedly Affecting 3.4M Account Holders
by Erin Shaak
Last Updated on November 24, 2020
Zheng v. Live Auctioneers LLC
Filed: November 19, 2020 ◆§ 1:20-cv-09744
A lawsuit claims Live Auctioneers' inadequate security measures allowed hackers to access 3.4 million accountholders private information in a data breach.
Live Auctioneers LLC faces a proposed class action that claims inadequate security measures on the part of the online auction marketplace allowed hackers to compromise the private information of 3.4 million account holders in a reported data breach.
During the security breach, which was disclosed by the defendant in a July 12, 2020 letter, unauthorized parties were able to view, access, extract, download and store account holders’ private data in “unsecured, vulnerable, and untraceable locations for extended periods of time,” according to the 18-page case.
Per the complaint, the compromised information included proposed class members’ names, email and mailing addresses, “visit history,” phone numbers, credit card numbers and expiration dates, and account passwords.
The suit alleges the breach stemmed from the defendant’s “unreasonable lack of oversight and lax security measures” on a number of levels in the face of known data privacy risks. From the complaint:
“Live Auctioneers willfully, knowingly, and consciously disregarded known security risks to the Private Information; failed to implement appropriate and reasonable security protocols and policies to safeguard the Private Information; failed to properly train employees regarding risks of and protections against cyberattacks; and failed to properly monitor and update its network security and the systems that stored massive repositories of valuable Private Information and which Live Auctioneers knew or should have known inevitably would be targeted and tested by hackers at some point.”
For example, Live Auctioneers was using an “outdated and ineffective” algorithm, known as MD5, to encrypt usernames and passwords, the lawsuit says. Had Live Auctioneers employed and maintained “industry standard and commercially reasonable” cybersecurity practices, the data breach would not have occurred, or would have been mitigated, the complaint argues.
According to the suit, the data breach was first discovered on July 10, 2020 when cybersecurity research firm CloudSEK discovered the private information of 3.4 million Live Auctioneers’ account holders up for sale on an online forum. Per the complaint, the information was stolen on June 19, 2020. Since then, the suit says, proposed class members’ data has been “sold and copied multiple times by unscrupulous and criminal actors,” exposing account holders to an increased risk of identity theft and fraud.
Since the breach, the plaintiff, a Live Auctioneers account holder and citizen of Singapore, has been “repeatedly called and texted from unknown sources,” sometimes in the middle of the night, the suit states. Per the case, the calls and texts came from “rotating phone numbers that were impossible to block” but originated from the same person who knew the plaintiff’s name.
“Plaintiff had not been receiving these unsolicited phone calls prior to the Data Breach,” the complaint states.
Moreover, the plaintiff says he’s received at least four unsolicited text messages containing phishing attempts designed to entice him into clicking suspicious links.
The lawsuit looks to cover anyone whose private information was accessed in the Live Auctioneers security breach.
Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s newsletter here.
Before commenting, please review our comment policy.