PayPal sued for negligence in data breach that affected 35,000 users

PayPal sued for negligence in data breach that affected 35,000 users

Alleged data breach victims have sued PayPal in federal court for failing to safeguard their personal data, and are asking for class-action certification.

Credit: Dreamstime

A pending class action lawsuit accuses online payments giant PayPal of failing to adequately safeguard the personal information of its users, leaving them vulnerable to identity theft and related ills at the hands of the unidentified perpetrators of a data breach that occurred late last year.

Nearly 35,000 people were affected by the cyberattack, which used previously compromised usernames and passwords to gain access to PayPal’s systems. 

PayPal’s notice to users whose personal information was compromised indicated that the company first learned of the attack just before the holidays in 2022, and that the attack was eventually determined to have happened between December 6 and December 8.

The notice was sent out January 19, and said that there was "no evidence" that the compromised logins were taken from PayPal's systems. 

Rather, it's likely that username and password data gleaned from other cyberattacks were used to attempt to log in to PayPal accounts, which succeeded in some cases where users recycled their passwords.

Lawsuit says PayPal failed to comply with FTC guidelines

The plaintiffs in the civil suit, one of whom is from Texas and the other from Nebraska, accuse PayPal of failing to comply with FTC guidelines for data protection, essentially saying that the company was negligent in its protection of consumer data. The suit was filed last week in the Northern District of California.

The complaint levels nine individual charges at PayPal, accusing the company of unjust enrichment, violating multiple state consumer protection laws, breach of contract, negligence and negligence per se. (The last means, in essence, that the company breached a duty of care imposed on it by a specific law, rather than a more general legal duty of care required for a standard negligence claim.) 

These allegations are based on a wide variety of asserted facts, and the complaint accused PayPal of failing to adhere to a host of different NIST Cybersecurity Frameworks.

The plaintiffs said that they had suffered a number of harms as a result of PayPal’s alleged negligence, including being “forced to expend time dealing with the effects of the [d]ata [b]reach,” exposure to a sharply increased risk of fraud and identity theft, and incurring substantial costs for credit monitoring and associated services. 

They’ve also asked the judge to certify the suit as a class action, given the large number of alleged victims and the impracticality of naming them all as parties to the suit.

The suit asks for an unspecified amount of monetary damages for violating the various consumer protection laws and as equitable relief, funding for lifetime credit monitoring and identity theft insurance, and more. That’s in-line with recent legal opinion on data breach-related lawsuits, which have been met with mixed responses from US courts.

According to Robert Dillard, a legal analyst for Bloomberg Law, claims for losses in data breach incidents faced an “uneven path” forward in federal courts last year.

“2023 will almost certainly see plaintiffs and their lawyers use creative arguments to pursue relief under common-law claims,” he wrote in a November analysis. “However, the chances of success for those claims will be extremely dependent on the facts of each case as they come before a court system that has shown skepticism.”

Follow Us

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.



How MSPs can capitalise on integrating AI into existing services

How MSPs can capitalise on integrating AI into existing services

​Given the pace of change, scale of digitalisation and evolution of generative AI, partners must get ahead of the trends to capture the best use of innovative AI solutions to develop new service opportunities. For MSPs, integrating AI capabilities into existing service portfolios can unlock enhancements in key areas including managed hosting, cloud computing and data centre management. This exclusive Reseller News roundtable in association with rhipe, a Crayon company and VMware, focused on how partners can integrate generative AI solutions into existing service offerings and unlocking new revenue streams.

How MSPs can capitalise on integrating AI into existing services
Access4 holds inaugural A/NZ Annual Conference

Access4 holds inaugural A/NZ Annual Conference

​Access4 held its inaugural Annual Conference in Port Douglass, Queensland, for Australia and New Zealand from 9-11 October, hosting partners from across the region with presentations on Access4 product updates, its 2023 Partner of the Year awards and more.

Access4 holds inaugural A/NZ Annual Conference
Show Comments