Intuit Data Breach Lawsuit Filed by TurboTax User Over 2024 Cyberattack

Intuit faces a proposed class action lawsuit over a reported 2024 data breach during which the sensitive personal information of a yet unknown number of current and former customers was allegedly stolen by cybercriminals. 

Want to stay in the loop on class actions that matter to you? Sign up for ClassAction.org’s free weekly newsletter here. 

The 33-page Intuit data breach lawsuit alleges the global fintech company, whose services include TurboTax, Credit Karma, QuickBooks and Mailchimp, “lost control” over users’ sensitive data when hackers infiltrated its systems, a discovery reportedly made by the company on or around February 27, 2024. The suit alleges that the Intuit cyberattack occurred sometime between December 23, 2023 and February 21, 2024, and that consumers’ names, Social Security numbers, driver’s license numbers, dates of birth and financial details were among the data stolen in the breach. 

In the aftermath, Intuit has “refus[ed]” to disclose in its notice details of the incident including how many people were impacted or when the company discovered the unauthorized intrusion, the complaint, filed by a former TurboTax user on July 1 in California, says. 

According to the data breach lawsuit, it is unknown for precisely how long the perpetrators had access to Intuit’s network before the cyberattack, disclosed by the company in March, was discovered.

“…Defendant had no effective means to prevent, detect, stop, or mitigate breaches of its systems—thereby allowing cybercriminals unrestricted access to its current and former customers’ [personally identifiable information],” the proposed class action charges. 

Negligent cybersecurity to blame for Intuit data breach, lawsuit says

According to the suit, Intuit’s data security failures rendered current and former customers “easy targets for cybercriminals.” In particular, the case accuses Intuit of failing to appropriately train employees on cybersecurity and failing to have “reasonable cybersecurity safeguards and protocols” in place to protect the litany of sensitive information in its care, despite its legal obligation to protect the data it collects and stores in the course of its business.

“Defendant failed its duties when its inadequate security practices caused the Data Breach. In other words, Defendant’s negligence is evidenced by its failure to prevent the Data Breach and stop cybercriminals from accessing the [personally identifiable information]. And thus, Defendant caused widespread injury and monetary damages.” 

As a result of Intuit’s allegedly negligent, inadequate cybersecurity, proposed class members’ information is forever compromised, the filing stresses. 

“The exposure of one’s [personally identifiable information] to cybercriminals is a bell that cannot be unrung,” the lawsuit asserts, emphasizing that Intuit data breach victims’ personal information is “forever exposed and unsecure.” 

Intuit data breach notice muddies what actually happened, lawsuit claims

The case contends the Intuit data breach notice obfuscates specifics about the cyberattack, including when the hack began, how many victims were impacted, the particular information that was stolen, how the data breach occurred in the first place, and the full scope of the incident. 

The lawsuit also chides Intuit for waiting until around mid-March 2024 to begin to notify victims, even though the cyberattack reportedly occurred three to four months prior. 

“Thus, Defendant kept the Class in the dark—thereby depriving the Class of the opportunity to try and mitigate their injuries in a timely manner,” the case argues.

Further, the complaint alleges Intuit’s assurance that it has “taken various measures to help ensure that the accounts of affected customers are protected” is “too little too late,” as these protection measures “should have been implemented before the Data Breach.”

According to the case, Intuit’s offer of credit monitoring and identity protection services to some victims is “wholly insufficient” given the real injuries incurred by data breach victims.

Class action accuses Intuit of “a pattern of negligent data security” 

Worryingly, the proposed class action says, the 2024 Intuit data breach appears to be “part and parcel” of a pattern of inadequate data security for the company. 

In particular, the filing mentions that TurboTax users were the targets of a series of “takeover attacks” in 2014, 2015 and 2019, with the method of attack in 2019 “nearly identical” to those used in 2014 and 2015. The case explains that hackers were able to access the “complete identities of undisclosed numbers of users” by accessing their accounts and looking up previous tax returns. 

In 2021, Intuit once again notified TurboTax users that their personal and financial details had been compromised by an unauthorized actor and, in March 2022, sustained yet another cyberattack wherein more than 300 Mailchimp accounts were viewed and certain audience data was exfiltrated, the lawsuit shares.

Who qualifies for the Intuit data breach lawsuit?

The Intuit data breach class action lawsuit aims to represent all United States residents whose personally identifiable information was compromised in the Intuit data breach discovered by the company in February 2024, including all consumers who received notice of the data breach. 

How do I sign up for the Intuit data breach lawsuit? 

Current and former Intuit users do not need to do anything to be involved in the Intuit data breach lawsuit. In fact, there’s usually nothing a consumer needs to do to join or sign up for a proposed class action case when it’s initially filed in court.

It’s usually only in the event of a class action settlement that the people covered by the litigation, called class members, need to act. This typically involves filling out and filing a claim form online or by mail to receive benefits or a rebate from a class action settlement. 

Stay informed: Sign up for ClassAction.org’s free weekly newsletter.