He beat me to it. š While I took a break to argue on Twitter about the hacked Jeep story in Wired, Brian Krebs was reporting on a class action lawsuit filed against Experian over the Court Ventures/U.S. InfoSearch data breach that was covered extensively on both his siteĀ and on this site.
The lawsuit was filed in federal court for the Central District of California. I’ve uploaded a copy ofĀ the complaint here (pdf).
To summarize some of the key points in the complaint:
1. The plaintiffs, led by Maudie Patton, Jacqueline Goodridge, and Virginia Kaldmo, are suing Experian for violations of the Fair Credit Reporting Act, theĀ California Business & Professions Code Ā§Ā§ 17200,Ā et seq., and the Declaratory Judgment Act.
Neither Court Ventures nor U.S. InfoSearch is named as a defendant in the lawsuit.
2. TheĀ plaintiffs areĀ seeking to recover FCRA statutory damages and injunctive relief requiring ExperianĀ to
(i) notify each U.S. citizen whose PII (a) was accessed by Ngo, (b) sold by Defendant to Ngo and/or his fraudster customers, or (c) was otherwise exposed in the Security Lapse,
(ii) provide quality credit monitoring and substantial identity theft coverage to each such person,
(iii) establish a fund (in an amount to be determined) to which such persons may apply for reimbursement of the time and out-of-pocket expenses they incurred to remediate identity theft and identity fraud (i.e., data breach insurance), from July 1, 2010 forward to the date the above-referenced credit monitoring terminates,
(iv) disgorge its gross revenue from transactions with Ngo and his fraudster customers involving Plaintiffsā and Class Membersā PII and the earnings on such gross revenue, and
(v) discontinue its above-described wrongful actions, inaction, omissions, want of ordinary care, nondisclosures, and the causes of the Security Lapse.
The notification issue is of particular interest to me, as this blog had covered that issue and obtained statements from U.S. InfoSearch and Experian as to whose responsibility it was to notify those affected. Based on the complaint, it would appear that no one has yet been notified, which is pretty outrageous.
By the way, standing should not be an issue in this case as all named plaintiffs became victims of tax refund fraud/identity theft.
Of small note, Experian, through their counsel, was originally very insistent that the breach did not affect 200 million people (even though the criminals would presumably have had access to the information on 200 million people).Ā The complaint handles the numbers issue this way:
It has so far been established that the Superget.info and findget.me websites had 1,300 customers who paid Ngo nearly $2 million over the relevant period to access databases containing the PII of 200 million U.S. citizens. Over an 18-month period, Superget.info customers conducted approximately 3.1 million queries, 1.0 million of which were conductedĀ afterĀ Experian acquired CVI. Since each query could generate an unlimited number of hits, the actual number of individual consumer PII records exposed, accessed, obtained, and utilized by fraudsters to commit further identity theft and identity fraud could be in the tens of millions.
And while all this is going on, the suit and countersuit between Experian and Court Ventures continues.
Would this be a good time to point out that I filed a complaint against Experian with the FTC in April 2012? By then, Experian had already acquired Court Ventures and would now be responsible going forward, but FTC continues to disappoint by their failure to take public action over Experian’s security failures.