The increasing number of data breaches raises new concerns for all companies. According to Statista, there were 1,473 million data breaches causing 164 million exposed records in the US in 2019. Many companies are being sued for data breaches and since the implementation of the General Data Protection Regulation (GDPR), these cybersecurity lawsuits run into millions of dollars.
Yahoo faced the biggest cybersecurity attack in history when 3 billion accounts were compromised. Many other prominent companies, such as Google, Facebook, and Microsoft, have also faced multiple leakages, and many other high-profile companies have faced massive data breaches where millions of items of data were leaked. The huge leakage was covered in the media while another 600 publicly reported breaches were ignored without any class action litigation, however, since the new GDPR rules (May 2018) things are different. Before the implementation the penalty was maximized at €500,000, but now it can be 4% of a company’s annual income.
Can a company be sued for data breaches?
A company manages all of its tasks to provide the best customer experience and it’s their responsibility to secure their customers' sensitive data. Cybersecurity laws are something new for most businesses and they are not paying proper attention to these rules. Many companies face losses of millions of dollars due to data breaches caused every year, but now, companies also have to be careful about other consequences. What do I mean? David Coolegem - Senior Manager at Sia Partners - said:
“The fines of GDPR are big, but the reputational risk is likely to be bigger.”
The cybersecurity laws now demand businesses protect their user’s data as well as their reputation and if the company is unable to do so, then they can be sued, face a lawsuit or even worse.
How are data stolen from companies?
Data breaches can occur in many different ways, but how companies store their data is really important. Many organizations still rely on their own on-site servers, while most have moved to cloud platforms for better security.
Third parties are involved in cloud-based platforms, so data transparency is decreasing. Indirect, remote management increases the risk of malicious attacks, and external threats can really put a company’s data at stake. It does not mean that companies should not use cloud-based storage, but they have to secure it properly before storing sensitive data about their users. Data security is possible in all environments, but smaller vulnerabilities can still be exploited by attackers.
Breaches can cause companies and businesses huge losses. Here are some of the most common types of data that attackers steal from organizations:
- Credit card information
- Financial account information
- Social security numbers (SSNs)
- Email addresses
- Phone numbers
- Driver’s license numbers
- Personal and business addresses
Companies being sued and lawsuit cases caused by data breaches
Data breach lawsuits are now becoming more common. Plaintiff groups, including shareholders, customers and employees can legally impose lawsuits or sue companies in case of a data breach. Companies are fully responsible for such breaches because they should have maintained the security of sensitive data. Here we will discuss some companies that were sued because they failed to protect stored data.
Target is a good example of a company which failed to protect its customer’s data back in 2013. The data of credit cards were stolen by attackers whenever a customer swiped their credit or debit card. The 100+ plaintiffs alleged that Target was not able to protect their credit card information. After two years, the plaintiffs and Target settled on a proposal, and the company had to pay an $18.5 million multistate settlement to resolve the claims of 40 million members. They were also obligated to protect their systems to prevent any future breaches.
LabCorp is a reputable company that works with healthcare diagnostics, laboratory, and genetic testing services. They faced multiple data breaches in 2019 and 2020. The credit card data of 7.7 million patients were breached back in June 2019 and another breach happened in January 2020, when 10,000 company documents were leaked along with protected health information. LabCorp could have been fined from $100 to $50,000 per record, but luckily, the penalty is maximized at $1.5 million per year.
The bigger problem was that the share price of LabCorp significantly dropped after these incidents and lawsuits, and because they did not create a response plan in the first place after the breach, the shareholders also sued LabCorp in order to recover their losses.
Heartland Payment Systems
Heartland Payment Systems is a Fortune 1000 bank card payment processor. They faced a massive data breach back in 2008. The credit and debit card numbers of 130 million customers were exposed through SQL injection attacks. Heartland Payment Systems had to provide over $145 million in compensation and the stock price fell by 80% in the market. Above all the company was sued by its own shareholders, because the company hid the scope of attack for over a year and they were unprepared for a cyber-attack.
EasyJet disclosed in May, 2019 that the information of 9 million customers and 2,200 credit card records were breached. This cyber incident of this UK airline company caused an £18 billion class-action lawsuit. It was filed by a passenger whose data were stolen and around £2,000 was secured for every EasyJet customer affected in the case.
Another well-known airline, British Airways, was fined by the Information Commissioner’s Office (ICO) in 2018. They had to pay £183.4 million because they were unable to protect their customers’ data. Visitors to the airline’s website were redirected to a false site. More than 500,000 pieces of personal data, such as names, email addresses and credit card information were stolen. Before this case the biggest penalty for data breach had been the £500,000, imposed on Facebook.
If you haven't tried BitNinja yet don't forget to register for the 7-day free trial! No credit card is needed!
We are always happy to help you, so feel free to contact us at firstname.lastname@example.org or on the Dashboard chat if you have any questions or need assistance.
Stay safe and happy hacker-hunting!
This article is a coproduction with Arslan Latif.