DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Minted hit with California data breach lawsuit after ShinyHunters hack

Posted on June 13, 2020 by Dissent

We anticipated a lot of lawsuits would be filed under California’s new law, the California Consumer Privacy Act (CCPA), as it imposes a data security duty on organizations. But will any of the complaints filed withstand early motions to dismiss? The CCPA requires complainants to give the organization 30 days to “cure” a violation and to provide assurance that it will not occur again. Can a plaintiff claim that because their data was stolen and sold on the dark web, there is no cure available and the case should just proceed?

A potential class action lawsuit was filed in federal court this week. This one involves a hack by the threat actors known as ShinyHunters. On May 6, a post on a popular forum announced that data from a number of companies hacked in January was now up for sale. The threat actors also listed the sale themselves on a dark web marketplace, with a price tag of $2500. As of today, there have been no sales of Minted data on that one marketplace, but of course, that doesn’t rule out private sales or sales negotiated on Jabber, etc.

Minted, Inc. allegedly first learned that they had been hacked when ZDNet reported that a bunch of companies allegedly had their data hacked and listed for sale by Shiny Hunters.

The plaintiffs in the proposed class action lawsuit filed in San Francisco federal court this week are Melissa Atkinson and Katie Renvall. The complaint claims violations of the California Consumer Privacy Act § 1798.150, violation of California’s Unfair
Competition Law, Cal. Bus. & Prof. Code § 17200, et seq., negligence, breach of contract, and breach of implied contract.

According to the complaint, the breach compromised the consumers’ name, email address, “hashed” or “salted” password, and “where available, telephone number, billing address, and shipping address(es).”

Minted’s notification about the breach can be found here. It says, in relevant part:

The information involved includes customers’ names and login credentials to their Minted accounts, consisting of their email address and password. The passwords were hashed and salted and not in plain text. Telephone number, billing address, shipping address(es), and, for fewer than one percent of affected customers, date of birth, also may have been impacted.

Based on our investigation to date, we have no reason to believe that the following information was affected: payment or credit card information, customer address book information, or photos or personalized information that customers added to Minted designs.

The lawsuit makes some interesting claims in that it seems to be trying to establish encryption as necessary and anything less as not constituting reasonable security. Citing a post from last year by Steve Tuow on IAPP, the complaint claims:

Minted has failed to maintain reasonable security controls and systems appropriate for the nature of the PII it maintains as required by the CCPA and other common and statutory laws. Hashed and “salted” passwords are not necessarily encrypted. According to one blogger for the International Association for Privacy Professionals, “encryption is a security strategy …[that] protects your organization from scenarios like a devastating breach where, if the adversary were to gain access to your servers, the data stored would be of no use to them, unless they have the encryption key. It’s an all-or-nothing security posture: You either get the see the data unencrypted, or you don’t.” “[O]rganizations should encrypt their data on a disk as a required security measure. But they must not stop there. In fact, the CCPA is clear that they should go further.” Id.

The complaint also alleges that Minted failed to maintain proper measures to detect hacking and intrusion. Since Minted acknowledged that they did not know that they had been hacked and had data exfiltrated in January until a reporter published something about it in May, how will they defend against that claim if it comes to that point? And if it’s not considered reasonable and necessary already, when will it become industry standard that all entities collecting and storing more than X individuals’ personal information should have a means to detect large file transfers/exfiltration by sftp that are anomalies from their usual network traffic? Or should there be some other standard or best practice that we will hold entities to?

Not surprisingly, the complaint does not allege that either of the named plaintiffs have experienced any concrete injury like identity theft or fraud. It’s all about what may happen and the time they will have to spend forever, etc. etc. etc.  But the fact that the plaintiffs claim there is no cure makes me wonder whether all future complaints will try that same tack. Some of us had been discussing this exact issue at the Privacy&Security Forum last month. What’s a “cure” in a confirmed breach if identity information is involved and will not change over the individual’s lifetime? And how can an entity really provide assurance that a similar or identical breach won’t happen again? Will pinky swearing suffice?

I think the CCPA litigation — to the extent that complaints survive initial challenges — may get us more into what is considered “reasonable” security — at least in California.

DataBreaches.net has been unable to reach Minted via email so far, but has reached out to the firm via Twitter to try to get contact information. If I can get a statement from the firm about the lawsuit, this post will be updated with it.

Update: The company responded by stating that it does not comment on any potential pending litigation.

No related posts.

Category: Breach IncidentsCommentaries and AnalysesHackState/Local

Post navigation

← FL: Cano Health Advises Patients Of Breach That Began Two Years Ago
CO: Rangely District Hospital unable to access some patient records after ransomware attack →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Horizon Healthcare RCM discloses ransomware attack in December
  • Disgruntled IT Worker Jailed for Cyber Attack, Huddersfield
  • Hacker helped kill FBI sources, witnesses in El Chapo case, according to watchdog report
  • Texas Centers for Infectious Disease Associates Notifies Individuals of Data Breach in 2024
  • Battlefords Union Hospitals notifies patients of employee snooping in their records
  • Alert: Scattered Spider has added North American airline and transportation organizations to their target list
  • Northern Light Health patients affected by security incident at Compumedics; 10 healthcare entities affected
  • Privacy commissioner reviewing reported Ontario Health atHome data breach
  • CMS warns Medicare providers of fraud scheme
  • Ex-student charged with wave of cyber attacks on Sydney uni

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Supreme Court Decision on Age Verification Tramples Free Speech and Undermines Privacy
  • New Jersey Issues Draft Privacy Regulations: The New
  • Hacker helped kill FBI sources, witnesses in El Chapo case, according to watchdog report
  • Germany Wants Apple, Google to Remove DeepSeek From Their App Stores
  • Supreme Court upholds Texas law requiring age verification on porn sites
  • Justices nix Medicaid ‘right’ to choose doctor, defunding Planned Parenthood in South Carolina
  • European Commission publishes its plan to enable more effective law enforcement access to data

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.