Alleged data breach victims have sued PayPal in federal court for failing to safeguard their personal data, and are asking for class-action certification. Credit: AndreyPopov / Getty Images A pending class action lawsuit accuses online payments giant PayPal of failing to adequately safeguard the personal information of its users, leaving them vulnerable to identity theft and related ills at the hands of the unidentified perpetrators of a data breach that occurred late last year.Nearly 35,000 people were affected by the cyberattack, which used previously compromised usernames and passwords to gain access to PayPal’s systems. PayPal’s notice to users whose personal information was compromised indicated that the company first learned of the attack just before the holidays in 2022, and that the attack was eventually determined to have happened between December 6 and December 8.The notice was sent out January 19, and said that there was “no evidence” that the compromised logins were taken from PayPal’s systems. Rather, it’s likely that username and password data gleaned from other cyberattacks were used to attempt to log in to PayPal accounts, which succeeded in some cases where users recycled their passwords. Lawsuit says PayPal failed to comply with FTC guidelinesThe plaintiffs in the civil suit, one of whom is from Texas and the other from Nebraska, accuse PayPal of failing to comply with FTC guidelines for data protection, essentially saying that the company was negligent in its protection of consumer data. The suit was filed last week in the Northern District of California. The complaint levels nine individual charges at PayPal, accusing the company of unjust enrichment, violating multiple state consumer protection laws, breach of contract, negligence and negligence per se. (The last means, in essence, that the company breached a duty of care imposed on it by a specific law, rather than a more general legal duty of care required for a standard negligence claim.) These allegations are based on a wide variety of asserted facts, and the complaint accused PayPal of failing to adhere to a host of different NIST Cybersecurity Frameworks.The plaintiffs said that they had suffered a number of harms as a result of PayPal’s alleged negligence, including being “forced to expend time dealing with the effects of the [d]ata [b]reach,” exposure to a sharply increased risk of fraud and identity theft, and incurring substantial costs for credit monitoring and associated services. They’ve also asked the judge to certify the suit as a class action, given the large number of alleged victims and the impracticality of naming them all as parties to the suit. The suit asks for an unspecified amount of monetary damages for violating the various consumer protection laws and as equitable relief, funding for lifetime credit monitoring and identity theft insurance, and more. That’s in-line with recent legal opinion on data breach-related lawsuits, which have been met with mixed responses from US courts.According to Robert Dillard, a legal analyst for Bloomberg Law, claims for losses in data breach incidents faced an “uneven path” forward in federal courts last year.“2023 will almost certainly see plaintiffs and their lawyers use creative arguments to pursue relief under common-law claims,” he wrote in a November analysis. “However, the chances of success for those claims will be extremely dependent on the facts of each case as they come before a court system that has shown skepticism.” Related content opinion Employee discontent: Insider threat No. 1 CISOs who focus only on detection technology — and don’t engage with the human side of the security equation — are missing a key ingredient for insider risk management. By Christopher Burgess May 21, 2024 7 mins CSO and CISO Threat and Vulnerability Management Human Resources how-to Download the hybrid cloud data protection enterprise buyer’s guide From the editors of our sister publication Network World, this enterprise buyer’s guide helps network and security IT staff understand the issues their organizations face around protecting corporate data in a hybrid cloud environment and how to By Neal Weinberg May 20, 2024 1 min Cloud Security Data and Information Security Enterprise Buyer’s Guides news analysis Global stability issues alter cyber threat landscape, ESET reports With conflict on the rise, regional APT groups are increasing activity, altering focus, and putting specific industries in their crosshairs. Here’s what CISOs should know. By Evan Schuman May 20, 2024 4 mins Advanced Persistent Threats Cyberattacks Threat and Vulnerability Management feature The inside story of Cyber Command’s creation Cartoons, Starbucks cards, and Hollywood storyboards: The ‘Four Horsemen of Cyber’ — CISA’s Jen Easterly, Lt. Gen. S.L. Davis, retired US Navy Vice Admiral T.J. White, and former NSA chief Paul Nakasone — revealed at RSA By Cynthia Brumfield May 20, 2024 8 mins Aerospace and Defense Industry CSO and CISO Military PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe