Alleged data breach victims have sued PayPal in federal court for failing to safeguard their personal data, and are asking for class-action certification. Credit: AndreyPopov / Getty Images A pending class action lawsuit accuses online payments giant PayPal of failing to adequately safeguard the personal information of its users, leaving them vulnerable to identity theft and related ills at the hands of the unidentified perpetrators of a data breach that occurred late last year.Nearly 35,000 people were affected by the cyberattack, which used previously compromised usernames and passwords to gain access to PayPal’s systems. PayPal’s notice to users whose personal information was compromised indicated that the company first learned of the attack just before the holidays in 2022, and that the attack was eventually determined to have happened between December 6 and December 8.The notice was sent out January 19, and said that there was “no evidence” that the compromised logins were taken from PayPal’s systems. Rather, it’s likely that username and password data gleaned from other cyberattacks were used to attempt to log in to PayPal accounts, which succeeded in some cases where users recycled their passwords.Lawsuit says PayPal failed to comply with FTC guidelinesThe plaintiffs in the civil suit, one of whom is from Texas and the other from Nebraska, accuse PayPal of failing to comply with FTC guidelines for data protection, essentially saying that the company was negligent in its protection of consumer data. The suit was filed last week in the Northern District of California. The complaint levels nine individual charges at PayPal, accusing the company of unjust enrichment, violating multiple state consumer protection laws, breach of contract, negligence and negligence per se. (The last means, in essence, that the company breached a duty of care imposed on it by a specific law, rather than a more general legal duty of care required for a standard negligence claim.) These allegations are based on a wide variety of asserted facts, and the complaint accused PayPal of failing to adhere to a host of different NIST Cybersecurity Frameworks.The plaintiffs said that they had suffered a number of harms as a result of PayPal’s alleged negligence, including being “forced to expend time dealing with the effects of the [d]ata [b]reach,” exposure to a sharply increased risk of fraud and identity theft, and incurring substantial costs for credit monitoring and associated services. They’ve also asked the judge to certify the suit as a class action, given the large number of alleged victims and the impracticality of naming them all as parties to the suit. The suit asks for an unspecified amount of monetary damages for violating the various consumer protection laws and as equitable relief, funding for lifetime credit monitoring and identity theft insurance, and more. That’s in-line with recent legal opinion on data breach-related lawsuits, which have been met with mixed responses from US courts.According to Robert Dillard, a legal analyst for Bloomberg Law, claims for losses in data breach incidents faced an “uneven path” forward in federal courts last year.“2023 will almost certainly see plaintiffs and their lawyers use creative arguments to pursue relief under common-law claims,” he wrote in a November analysis. “However, the chances of success for those claims will be extremely dependent on the facts of each case as they come before a court system that has shown skepticism.” Related content news Almost 50% of organizations plan to reduce cybersecurity headcounts: Survey While organizations are realizing the need for knowledgeable teams to address unknown threats, they are also looking to reduce their security headcount and infrastructure spending. By Gagandeep Kaur Dec 06, 2023 4 mins IT Jobs Security Practices feature 20 years of Patch Tuesday: it’s time to look outside the Windows when fixing vulnerabilities After two decades of regular and indispensable updates, it’s clear that security teams need take a more holistic approach to applying fixes far beyond the Microsoft ecosystem. By Susan Bradley Dec 06, 2023 6 mins Patch Management Software Threat and Vulnerability Management Windows Security feature What should be in a company-wide policy on low-code/no-code development Low-code/no-code development could bridge the gulf of development backlogs that exists between great ideas and great execution of digital innovation. But not without security policies around areas like access control, code quality, and application vi By Ericka Chickowski Dec 06, 2023 15 mins Application Security Security Practices news analysis Cisco unveils AI-powered assistants to level up security defenses New AI-driven tools aim to simplify and bolster policies, alerts and prevention to reduce complexity when setting security policies and assess traffic without decryption. By Rosalyn Page Dec 05, 2023 5 mins Encryption Cloud Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe