San Francisco 49ers Responsible for 2022 Data Breach Affecting 20K Individuals, Class Action Claims [UPDATE]

New to ClassAction.org? Read our Newswire Disclaimer

49ers Enterprises, LLC, which operates National Football League (NFL) team the San Francisco 49ers, failed to prevent a data breach in February 2022 that affected roughly 20,000 customers, current and former NFL employees and their dependents, a proposed class action claims. 

According to the 37-page lawsuit, ransomware gang Blackbyte was able to hack the 49ers’ computer network for five days beginning on February 6 of last year because the company failed to implement and maintain appropriate cybersecurity procedures. As a result, the cybercriminals easily accessed the unencrypted, unredacted personal information stored in the 49ers’ system, the case alleges.

Want to stay in the loop on class actions that matter to you? Sign up for ClassAction.org’s free weekly newsletter here.

The complaint explains that the data breach compromised information consumers must provide the company to buy tickets for San Francisco 49ers games, including their names, Social Security numbers and payment card numbers. The cyberattack also exposed employees’ personal data, as well as their dependents’ information and their immigration statuses, the filing adds.

“Defendant is a highly sophisticated business enterprise worth billions of dollars, and yet it neglected to take basic and necessary steps to ensure that the [personally identifiable information] it collected from consumers and NFL employees was effectively protected against the foreseeable threat of a targeted data breach,” the case stresses. 

Indeed, the lawsuit argues that ransomware attacks are a “well-known threat” to businesses that store personal information, as illustrated by several recent, high-profile data breaches at other industry-leading companies, including a 2017 NFL Players Association data breach that affected 1,200 football players. 

Data breaches are preventable, the suit further contends, as long as companies maintain certain reasonable cybersecurity practices, like those recommended by the United States Government, the United States Cybersecurity & Infrastructure Security Agency and the Microsoft Threat Protection Intelligence Team. 

Per the complaint, the 49ers failed to adopt these procedures or comply with minimum industry standards for safeguarding personal data. Additionally, the case asserts that the company’s failure to employ “reasonable and appropriate” security measures is out of line with the Federal Trade Commission Act and the agency’s cybersecurity guidelines for businesses. 

To add insult to injury, the 49ers waited six months before notifying data breach victims in August 2022, the case says. The filing states that the letter was short on specifics, leaving out details about the root cause of the breach, the vulnerabilities exploited and what actions the company will take to prevent a future ransomware attack. The 49ers also did not name Blackbyte as the unauthorized actor that accessed its network and failed to mention that the notorious ransomware gang had already published certain exfiltrated information on the dark web, the case contends.

Although the team says it will provide affected individuals 12 months of identity monitoring services, the offer is “wholly inadequate” given that data breach victims may face years of ongoing identity theft or financial fraud, in addition to the out-of-pocket expenses associated with such crimes, the complaint asserts.

The lawsuit looks to represent anyone in the United States whose personally identifiable information was compromised in the data breach first announced by the San Francisco 49ers on or about August 31, 2022.

Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s free weekly newsletter here.