Cash Express Sued Over 2022 Data Breach Affecting 106K Customers

New to ClassAction.org? Read our Newswire Disclaimer

Payday lender Cash Express faces a proposed class action over a data breach that occurred from January to February 2022 and impacted approximately 106,000 individuals.

The 26-page lawsuit alleges Cash Express has violated Tennessee data privacy laws by failing to implement reasonable cybersecurity measures to safeguard its borrowers’ sensitive data. The case says that the breach occurred between January 29 and February 6, 2022, and stresses that hackers had proposed class members’ data in their hands for roughly seven and a half months before Cash Express alerted them to the incident in September.

According to the complaint, Cash Express’s negligence has compromised consumers’ personal information, including Social Security numbers, full names, dates of birth, contact information, driver’s license numbers, “limited medical details,” and bank account and routing numbers.

Per the complaint, the company, who has locations in Tennessee, Mississippi, Alabama and Kentucky, failed to meet industry-wide minimum standards for cybersecurity, including the NIST Cybersecurity Framework and the Center for Internet Security’s Critical Security Control. Cash Express also overlooked the Federal Trade Commission’s cyber-security guidelines for businesses, the case asserts.

As the lawsuit tells it, Cash Express promises in its privacy policy to “use security measures that comply with federal law.” However, the lawsuit alleges the company’s failure to employ “reasonable and appropriate” security measures is out of line with the Federal Trade Commission Act.

Moreover, the complaint argues that the data breach was foreseeable due to warnings from the FBI and U.S. Secret Service making it widely known that cybercriminals have been targeting companies like Cash Express.

The filing argues that the year of credit monitoring from Experian Identity offer to data breach victims by Cash Express is “wholly inadequate” given that affected individuals now face a “lifetime risk” of identity theft.

Moreover, the suit relays that Cash Express has not offered “minimum concrete information” on how it plans to prevent a future data breach. The case stresses that the 2022 data breach was not an isolated incident, as an in 2015 employee was reportedly charged with using the information of former customers to fraudulent open loans.

The lawsuit looks to represent anyone in the United States whose sensitive personal information was compromised in the data breach announced by Cash Express on or about September 12, 2022.

Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s free weekly newsletter here.