Volkswagen Group of America and Audi of America face a proposed class action after the personally identifiable information of more than 3 million people was reportedly stolen in a data breach.
The 56-page complaint, filed in New Jersey on June 28, says information compromised in the cyberattack includes names; mailing and email addresses; phone numbers; vehicle purchase, lease and inquiry details, including vehicle identification numbers (VINs); make, model, year, color and trim specifics; and driver’s license, Social Security, account or loan and tax identification numbers. Per the case, the stolen data was put up for sale Monday on a well-known hacking forum.
Those affected by the data breach face a heightened and imminent risk of fraud and identity theft and must now and in the future closely monitor their financial accounts – including by paying for credit monitoring services – to guard against suspicious activity, the lawsuit stresses.
According to the suit, Volkswagen and Audi collected from 2014 through 2019 the personal information of approximately 3.3 million U.S.-based customers. The lawsuit says roughly 90,000 of those customers provided the companies with information as sensitive as their driver’s license, account and Social Security numbers. As the suit tells it, the defendants eagerly accepted proposed class members’ information yet failed for years to exert the same enthusiasm in protecting it.
“While Defendants are more than happy to monetize that information, and despite the very sensitive nature of that information and the clear potential for misuse, Defendants left that data stored unsecured for two years,” the case alleges.
Though VW and Audi were informed in March that unauthorized third parties had accessed customers’ personal information, with a subsequent investigation confirming that the data was indeed stolen, the automakers did not begin to notify state attorneys general and those affected by the hack until June 2021, the lawsuit says.
The plaintiff, who the suit says has leased three Audi vehicles since 2017, relays that the data breach notice he received this month cautioned him to “look out for spam emails” and “[b]e cautious when opening links or attachments from unsolicited third parties,” and offered him the option to enroll in credit monitoring and identity theft recovery services. The case says the plaintiff, after being informed of the breach, devoted valuable time to making reasonable efforts to mitigate the impact of the attack, time that “he otherwise would have spent on other activities.”
According to the lawsuit, Volkswagen and Audi failed to comply with Federal Trade Commission guidelines in the run-up to the breach, which should have been on their radar given the prevalence of similar attacks against large companies in recent years.
“Defendants’ inattention to the possibility that anyone could obtain the PII of any customer or potential customer of Defendants left Plaintiff and Class members with no ability to protect their sensitive and private information,” the lawsuit asserts. “Defendants had the resources necessary to prevent the Data Disclosure, but neglected to adequately implement data security measures, despite its obligations to protect the PII of the Plaintiff and Class members from unauthorized disclosure.”
Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s free weekly newsletter here.