Consumer Electronics Daily was a Warren News publication.
‘Not Transparent’

Samsung Data Breach Sparks Second Class Action in a Week

Samsung’s Sept. 2 disclosures that cybercriminals had illegally accessed and stolen confidential “personally identifiable information” (PII) from millions of Samsung customers’ accounts sparked the second class-action fraud complaint within a week from consumers contending the company was lax in protecting their sensitive data from hackers.

Michigander Stephan Clark, a current Samsung customer, was notified by e-mail the same day the company posted urgent security notifications on its website that his PII was compromised in the data breach, said his complaint. Clark made “reasonable efforts to mitigate the impact of the breach,” including reviewing credit reports “for any indication of actual or attempted identity theft,” said his complaint Friday (docket 2:22-cv-05697) in U.S. District Court in Newark, New Jersey. The earlier complaint was filed Sept. 19 in U.S. District Court in Manhattan.

Samsung made “multiple promises so as to alleviate concerns any customers may have” about providing the company with sensitive PII, said the complaint. Samsung “enriched itself” through the collection of a “treasure trove” of PII about consumers, and profited off its collection of that information, but “failed to employ reasonable, accepted safety measures to secure that valuable information,” it alleged. Samsung didn’t comment Monday.

Samsung claims it didn't discover the data breach until around Aug. 4 after an ongoing investigation, said the complaint. Samsung touts that it always aims to do the right thing by being open and honest with its customers, it “did not release a statement to affected customers until almost a month after learning of the data breach,” it said.

Samsung’s Sept. 2 disclosures, besides being delayed by a month, also were “not transparent,” said the complaint. Its statements did not explain how the data breach occurred, how Samsung discovered the hack, or why it took the company a month to come clean with the public, it said. The exposure of consumers’ names, dates of birth, contact and demographic information and product registration information “increases their risk exponentially for precision spearphishing attacks, engineered SIM swaps, and the threat of credit and loans being taken out in their names,” it said.

The suit levels a variety of accusations against the company, including negligence, breach of implied contract, breach of covenant of good faith and fair dealing and misrepresentation, plus violation of Michigan’s Identity Theft Protection Act. It seeks statutory and punitive damages, plus injunctive relief, including an order that Samsung “engage third-party security auditors and internal personnel to run automated security monitoring.”