Minted, Inc. faces a proposed class action in which two consumers claim the online marketplace’s “inadequate security systems” allowed a hacking group to access customers’ personal information in a May 2020 data breach.
In a May 28 notice to customers, the defendant, an online marketplace for “crowd sourced” goods made by independent artists, disclosed that it “became aware” on May 15 of a report that listed Minted as one of at least 10 other companies impacted by a cybersecurity incident, the lawsuit says. According to the case, a hacking group known as Shiny Hunters attempted to sell on the dark web on May 6 more than 73.2 million records containing the personally identifiable information (PII) of 11 different companies’ customers, including five million who shopped on Minted.
Minted has acknowledged that the compromised information included a combination of customer names, email addresses, “hashed” or “salted” passwords and, in some cases, telephone numbers and billing and shipping addresses, the lawsuit states. Though the company has said it has “no reason to believe that … payment or credit card information, address book information, photos or personalized information” were breached, the case argues that Minted has neither confirmed that these data were not disclosed nor informed customers of the basis for its belief that the information was not compromised.
“It is now more than one month since the Data Breach occurred, and Minted’s stated position is, in effect, that it is still unsure just how much of its customers’ PII was hacked,” the complaint scathes.
The lawsuit claims Minted failed to maintain adequate security measures as required by the newly enacted California Consumer Privacy Act of 2018 (CCPA), which went into effect on January 1, 2020. According to the suit, the “hashed” or “salted” passwords compromised in the breach were not necessarily encrypted, meaning they “can be accessed and used even while […] redacted with different levels of utility based on how much manipulating of the data is done to protect privacy.” At a minimum, the information disclosed in the breach could allow “sophisticated hackers” such as the Shiny Hunters to access customers’ online accounts, the case argues.
According to the lawsuit, Minted knew or should have known that its lax security protocols put customers at risk of having their information disclosed to unauthorized third parties yet failed to take reasonable steps to protect the data. As the complaint puts it:
“Minted maintains a business that operates exclusively online and collects hundreds of millions of dollars from online customers each year; it has the resources to adopt reasonable protections and should have known to do so.”
The case goes on to slam Minted for its failure to detect the breach, noting that the company only learned of the incident after it was disclosed in a public report. If the defendant had implemented proper breach detection protocols, the company would have detected the hack and alerted customers “much sooner,” the suit says.
According to the case, the data breach was a “reasonably foreseeable consequence” of Minted’s inadequate security systems and has placed customers’ at an ongoing risk of identity theft and fraud. Despite the impact of the breach on customers, the defendant has failed to offer credit monitoring services or other mitigation measures “beyond what is available to the public,” the complaint says.
The lawsuit looks to cover anyone nationwide whose personally identifiable information was compromised in the May 2020 Minted data breach, with a proposed class of California residents.
Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s newsletter here.