Data Breach Lawsuits & Investigations

A data breach is a cybersecurity incident whereby an unauthorized party or parties gain access to sensitive, protected and/or confidential information belonging to an individual or organization.

The information stolen or compromised in a data breach can include, but may not be limited to, names, email addresses, physical addresses, passwords, dates of birth, Social Security numbers, passport numbers, driver’s license numbers, credit card numbers, debit card numbers, CVV numbers, medical information, diagnoses, health insurance information, biometric data, and taxpayer ID numbers. Data breaches also may involve sensitive business information, trade secrets or national security matters.

The causes of a data breach, sometimes called a cyberattack, can include software vulnerabilities, email-based phishing attempts, ransomware, accidental disclosure, access improperly given to computer systems, a lack of encryption, or hacking perpetrated by cybercriminals.

Not necessarily. When a company experiences a data breach, state law requires that it notify affected individuals. Receiving a letter does not automatically mean that your personal information is being used fraudulently – it just means your information was exposed in a data security incident and has the potential for being misused.

If your Social Security number is involved in a data breach, you’ll want to monitor and check your credit report and financial accounts for any signs of identity theft. Warning signs of identity theft can include withdrawals from your bank account that you can’t explain, missing bills or other mail, contact from debt collectors you don’t recognize, unfamiliar charges on your debit/credit cards, and unfamiliar accounts or charges on your credit report.

If your identity is in fact stolen from a data breach, report it to the Federal Trade Commission on IdentityTheft.gov and receive a personalized recovery plan.

To help protect yourself from identity theft, you can contact each of the three major credit bureaus—Equifax, Experian and TransUnion—to place a credit freeze on your credit report. A credit freeze will restrict access to your credit information and prevent anyone from opening a new credit account in your name.

Freezing your credit in the event of a data breach does not harm your credit score and will stay in place on your credit report until you decide to lift it.

In addition, you can also place a fraud alert on your credit reports, which alerts businesses to check with you before any new account is opened in your name. However, unlike a credit freeze, a fraud alert does not prevent businesses from seeing your credit report data, the FTC says.

Anyone who is concerned about identity theft can place an initial fraud alert on their credit report for free. To do this online, visit the Equifax, Experian or TransUnion website; you don’t have to contact all three. An initial fraud alert typically lasts for one year and can be renewed should a consumer opt to do so.

Another, more serious form of identity theft protection in the event of a data breach is an extended fraud alert, which, like an initial fraud alert, requires a business to contact you before any new credit is issued in your name. To create an extended fraud alert, you must have experienced identity theft and completed an FTC identity theft report or filed a police report.

An extended fraud alert will exist on your credit report for seven years, after which it can be renewed so long as an FTC identity theft or police report is resubmitted. An extended fraud alert can also be set up online through Equifax, Experian or TransUnion.

If you get a data breach notice, make sure to read it closely. It should contain information on what happened, what information was involved, what the company is doing about it, steps you can take to protect yourself, and how you can get more information.

Some companies may offer free credit and/or identity theft monitoring for a period of time following a data breach, and the notice should include instructions on how to sign up. If you’re offered free monitoring, take advantage of it; signing up should not affect any legal claim you may have against the company.

Importantly, if you get a data breach letter, don’t throw it out! If you are interested in helping any of the investigations listed on this page, attorneys will want to see the letter you received.

Attorneys working with ClassAction.org are specifically looking to hear from people with a data breach notice because it essentially serves as proof that the individual was a victim of the incident and makes for a stronger legal claim.

Yes. If your data was exposed in a security incident, you may be able to sue the company or companies responsible. Dozens of data breach class action lawsuits are filed each month, and this number only continues to increase. You can check out the proposed data breach class actions we’ve covered recently over on our newswire.

To verify whether a data breach notice letter you received is real, the first step is to Google the company name, along with the words “data breach.” More often than not, the search results, which may include news articles, will reveal whether the data breach letter in your possession stems from a real-world cyberattack.

You can also check ClassAction.org directly to see if we’ve reported on the data breach, though it’s important to note that we do not cover every incident.

If you are unsure of whether a data breach notice is legit, contact the company directly through a verified channel to confirm the data breach. Many times, companies post data breach notices on their websites.

Generally, a data breach notice you receive via email will come from a company or organization’s official email address and will usually address you by name.

Do not click on any links in the notice that may look suspicious or don’t match the company’s official website. Lastly, keep an eye out for spelling and grammar mistakes in a data breach notice, as they might indicate that the message is fake.

Absolutely. Here is an example of one sent to Forever 21 employees following a massive data breach that occurred in March 2023. This is the letter sent to consumers affected by the MAPFRE insurance data breach in late August 2023. In some cases, notices may be sent via email.

It’s important to note that, in rare cases, you may not recognize the company sending the letter, but this does not mean it was sent in error.

For instance, a May 2023 data incident affecting a popular file transfer tool caused millions of individuals to have their information exposed. In this instance, many of the data breach letters were sent by a third-party vendor of the affected companies. For example, PBI Research Services sent this letter to customers of Corebridge Financial.

It’s important that, if you receive any data breach notice, you do not throw it out. If you’ve already done so, you may want to check the company’s website for their official notice of the breach – it should include the same information that was in your notice. You may also want to check the post for a dedicated number consumers can call with questions about the security incident. It’s worth a call to see if they can resend your notice, but this may not be possible.

Notices aren’t always sent immediately after a breach hits the news, so you may just have to be patient. Otherwise, you can check the company’s website to see if they’ve posted a notice about the breach – it may contain a number you can call with questions. They should, at the very least, be able to answer when notices are expected to go out and may also be able to confirm whether you were affected.

Be sure to bookmark our page and come back to it if you believe you’ve been affected by a data breach listed below but haven’t received a notice yet.

In general, data breach victims can seek compensation for lost time responding to the incident, out-of-pocket costs related to the breach and loss of privacy.

Depending on the specifics of the data breach, out-of-pocket costs may include some of the following: money spent on preventative measures, such as identity theft and/or credit monitoring; service fees to replace stolen cards; money spent on credit reports and/or credit freezes; the costs associated with obtaining background checks or medical records; increased health insurance costs; and money lost via fraudulent transactions, fraudulent medical bills or stolen tax refunds.

Further damages may become available depending on the type of information exposed. For instance, if a person’s health data is leaked, they may be able to recover money for reputational damage if they are denied medical care or insurance coverage. Likewise, a person whose Social Security number is exposed may be able to recover money for damage to their credit.

How much you can claim in any data breach settlement will depend on a number of factors, including the specifics of the settlement, the amount of time you spent responding to the incident, the type and total amount of your out-of-pocket expenses, and how many claims are filed. There are never any guarantees as to whether a data breach lawsuit will be successful or how much they could provide to consumers; however, some of the largest data breach settlements obtained via class action lawsuits include a $350 million deal with T-Mobile and a $190 million deal with Capital One.

We post class action settlements, including those involving data breaches, over on this page.

If you were affected by a data breach, you should receive a notice via email or regular mail about the incident and what information may have been exposed. All 50 states require that businesses and governments alert consumers if their personal information is breached.

While it may not be possible to completely secure your sensitive information, some steps you can take to protect yourself from a data breach and its fallout include:

• Using strong, complex passwords, preferably a different one for each account;
• Regularly changing passwords;
• Using multi-factor authentication (MFA) when available;
• Encrypting your data;
• Updating your devices’ software regularly;
• Shopping with a credit card, as you may incur less liability in the event of fraudulent charges or if your account is hacked; and
• Consistently monitoring your accounts for fraud, including by setting up account alerts.

It can also be helpful to have a response plan should your personally identifiable information become compromised in a data breach or cyberattack.

Always be wary of unsolicited correspondence from companies with whom you have no relationship, and never give anyone remote access to your devices.

According to InfoSec Institute, the leading cause of data breaches is human error, which may involve privilege misuse, stolen credentials or social engineering, a tactic whereby hackers can bypass having to create their own access points by goading individuals with legitimate access to grant it for them. Other common causes of data breaches and cyberattacks include weak credentials, software vulnerabilities, malware, ransomware, DNS attacks, improper API configuration and excessive permissions.

If you’re interested in starting a class action lawsuit, you should know that those who elect to serve as a lead plaintiff are generally entitled to what’s known as a “service award” – that is, an additional payment for their help with the case. Typically, the lead plaintiff in a data breach case does not need to be involved as much as they would in other types of lawsuits. Depositions in these types of class actions are rare, and little documentation and information – aside from the initial data breach notice – is needed.

Plus, if you elect to serve as a lead plaintiff, you can feel good that you’re working to hold a company legally accountable for failing to protect the private information of potentially hundreds of thousands of individuals.

In the event of a data breach lawsuit settlement, ClassAction.org will have the complete details over on our class action settlements page.