Alleged data breach victims have sued PayPal in federal court for failing to safeguard their personal data, and are asking for class-action certification. Credit: AndreyPopov / Getty Images A pending class action lawsuit accuses online payments giant PayPal of failing to adequately safeguard the personal information of its users, leaving them vulnerable to identity theft and related ills at the hands of the unidentified perpetrators of a data breach that occurred late last year.Nearly 35,000 people were affected by the cyberattack, which used previously compromised usernames and passwords to gain access to PayPal’s systems. PayPal’s notice to users whose personal information was compromised indicated that the company first learned of the attack just before the holidays in 2022, and that the attack was eventually determined to have happened between December 6 and December 8.The notice was sent out January 19, and said that there was “no evidence” that the compromised logins were taken from PayPal’s systems. Rather, it’s likely that username and password data gleaned from other cyberattacks were used to attempt to log in to PayPal accounts, which succeeded in some cases where users recycled their passwords. Lawsuit says PayPal failed to comply with FTC guidelinesThe plaintiffs in the civil suit, one of whom is from Texas and the other from Nebraska, accuse PayPal of failing to comply with FTC guidelines for data protection, essentially saying that the company was negligent in its protection of consumer data. The suit was filed last week in the Northern District of California. The complaint levels nine individual charges at PayPal, accusing the company of unjust enrichment, violating multiple state consumer protection laws, breach of contract, negligence and negligence per se. (The last means, in essence, that the company breached a duty of care imposed on it by a specific law, rather than a more general legal duty of care required for a standard negligence claim.) These allegations are based on a wide variety of asserted facts, and the complaint accused PayPal of failing to adhere to a host of different NIST Cybersecurity Frameworks.The plaintiffs said that they had suffered a number of harms as a result of PayPal’s alleged negligence, including being “forced to expend time dealing with the effects of the [d]ata [b]reach,” exposure to a sharply increased risk of fraud and identity theft, and incurring substantial costs for credit monitoring and associated services. They’ve also asked the judge to certify the suit as a class action, given the large number of alleged victims and the impracticality of naming them all as parties to the suit. The suit asks for an unspecified amount of monetary damages for violating the various consumer protection laws and as equitable relief, funding for lifetime credit monitoring and identity theft insurance, and more. That’s in-line with recent legal opinion on data breach-related lawsuits, which have been met with mixed responses from US courts.According to Robert Dillard, a legal analyst for Bloomberg Law, claims for losses in data breach incidents faced an “uneven path” forward in federal courts last year.“2023 will almost certainly see plaintiffs and their lawyers use creative arguments to pursue relief under common-law claims,” he wrote in a November analysis. “However, the chances of success for those claims will be extremely dependent on the facts of each case as they come before a court system that has shown skepticism.” Related content news F5 patches BIG-IP Next Central Manager flaws that could lead to device takeover Two high-risk vulnerabilities could be exploited to allow attackers to gain full administrative control on devices via leaked password hashes. By Lucian Constantin May 08, 2024 5 mins Threat and Vulnerability Management Cloud Security Vulnerabilities news Suspected Chinese hack of Britain’s Ministry of Defence payroll linked to government contractor, minister confirms The UK’s defence minister would not confirm that the attack was conducted by an element of the Chinese state, rather blaming the “potential failings” of a partner. By John Dunn May 08, 2024 4 mins Aerospace and Defense Industry Data Breach Government news analysis Massive security hole in VPNs shows their shortcomings as a defensive measure Researchers found a deep, unpatchable flaw in virtual private networks dubbed Tunnelvision can allow attackers to siphon off data without any indication that they are there. By Evan Schuman May 08, 2024 8 mins Threat and Vulnerability Management Data and Information Security Network Security news DocGo says hackers stole patient data in a recent cyberattack The attack compromised some healthcare data with no material or financial losses, the company said. By Shweta Sharma May 08, 2024 3 mins Data Breach Hacking PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe