[BreachExchange] Minted Sued Over Data Breach Under California Law (Corrected)

Destry Winant destry at riskbasedsecurity.com
Tue Jun 16 10:24:48 EDT 2020


The popular online stationary and craft marketplace Minted Inc. has
been sued in a class action under California’s new consumer privacy
law, which allows for thousand-dollar per violation penalties, for
allegedly mismanaging customer’s’ personal information following a
massive data breach revealed last month.

According to the complaint, filed Thursday in the U.S. District Court
for Northern District of California, hackers going by the name Shiny
Hunters stole 73.2 million records containing personally identifying
information from 11 companies, Minted among them.

On May 6, 2020, Shiny Hunters attempted to sell the data on the dark
web. Minted was allegedly unaware of the breach until notified by a
public report on May 15. It wasn’t until May 28 that Minted notified
customers via email, according to the complaint.

Would-be class plaintiffs Melissa Atkinson and Katie Renvall allege
that Minted failed to invest in appropriate data security systems,
notwithstanding reporting around $150 million in revenue in 2019.

Minted told customers that the data leaked included unredacted and
unencrypted names, logon email addresses, and hashed passwords.
According to the complaint, it told customers no payment or credit
card information was stolen but hasn’t explained how it reached that
conclusion, and they say the data could be used to figure out how to
access other sensitive accounts.

The lawsuit makes claims under both federal and California state law,
including the California Consumer Privacy Act enacted in January.

The CCPA applies to businesses with gross annual revenues in excess of
$25 million, businesses sharing the data of more than 50,000
customers, or businesses that derive 50% or more of their revenues
from the sale of protected personal data, which for purposes of the
law is defined broadly.

It requires companies to disclose their data collection and sharing
practices and to provide consumers with the right to delete their
personal information. It also requires businesses to give consumers
the opportunity to opt-out of the sale of their data and prohibits the
sale of personal information for consumers under the age of 16

Businesses that run afoul of the law face penalties of $2,500 for each
unintentional violation or $7,500 for each intentional violation after
notice and a 30-day opportunity to cure have been provided when
enforced by the state attorney general’s office. Penalties sought
under a private right of action range from $100 to $750 per violation.

Causes of Action: For the California class, the California Consumer
Privacy Act and California’s Unfair Competition Law. For the
nationwide class, negligence, breach of contract, and breach of
implied contract.

Relief: Compensatory and punitive damages; statutory or civil penalties.

Potential Class Size: The lawsuit seeks certification of nationwide
and California classes comprised of all individuals whose personally
identifiable information was compromised in the breach.

Response: Minted didn’t immediately respond to a request for comment.

Attorneys: Moginrubin LLP and Schack Law Firm.

The case is Atkinson v. Minted, Inc., N.D. Cal., No. 3:20-cv-03869, 6/11/20.

(Corrects criteria for companies subject to law in seventh paragraph
and adds detail on penalties in ninth paragraph.)

More information about the BreachExchange mailing list