CBD Industries, cbdMD Hit with Lawsuit Over Reported March, May 2020 Data Breaches [UPDATE]
by Erin Shaak
Last Updated on August 19, 2021
Warshawsky et al. v. cbdMD, Inc. et al.
Filed: October 9, 2020 ◆§ 3:20-cv-00562
A class action lawsuit has been filed against cbdMD, Inc. and CBD Industries, LLC over two data breaches that reportedly occurred between March and May 2020.
Case Updates
August 19, 2021 – Plaintiffs Ask Court to Approve $300K Settlement
Counsel for the plaintiffs in the case detailed on this page have asked the court to approve a proposed $300,000 deal to settle their claims.
The settlement, which the plaintiffs say was reached after “hard-fought” negotiations, proposes to cover anyone in the U.S. who made a purchase online with cbdMD between March 30, 2020 at 00:03:12 UTC (Coordinated Universal Time) and the end of May 8, 2020, or between May 14, 2020 at 21:02:57 UTC and the end of May 18, 2020.
Under the terms of the proposed deal, as detailed in an April 30 memo, those covered by the settlement will be able to claim reimbursement of up to $210 for out-of-pocket expenses relating to the security incident, such as card replacement fees, bank fees, postage, mileage, credit monitoring and identity theft protection services, and documented lost time.
Those who claim to have suffered “extraordinary, unreimbursed monetary losses” due to the incident will be eligible to claim reimbursement of up to $2,500.
The April 30 memo further notes that the defendants have agreed to implement several changes to their business practices to increase security.
The deal now awaits the judge’s stamp of preliminary approval before notice can be sent to those affected.
March 23, 2021 – Lawsuit Settled Through Mediation
The proposed class action detailed on this page has been settled through mediation, a negotiation facilitated by a third party. Details of the deal are not yet available.
The parties involved with the suit advised the court on March 4 that a mediated settlement is forthcoming and have requested a deadline of March 31, 2021 for the plaintiffs to file a motion for preliminary approval.
“Attorneys for both parties attended the mediation, as well as two representatives for Defendants and a representative for Defendants’ insurer,” court documents state. “At the end of the full day mediation the Parties were able to reach a settlement.”
A proposed class action lawsuit has been filed against cbdMD, Inc. and CBD Industries, LLC over two data breaches that reportedly occurred between March and May 2020.
According to the case, the defendants’ failure to safeguard customers’ personal and financial data allowed the information to be exposed to unauthorized third parties and has placed affected customers at a heightened risk of identity theft and fraud.
“The criminals obtained everything they needed to illegally use CBD’s customers’ payment cards to make fraudulent purchases, and to commit myriad financial crimes and fraud,” the complaint scathes.
The lawsuit alleges the defendants, who sell hemp products used for pain relief and general health for both humans and pets, notified the U.S. Securities and Exchange Commission (SEC) on September 25, 2020 that an unauthorized party had modified the ecommerce platform underlying cbdmd.com to include “malicious code” that “scraped” customers’ personal identifying information (PII) from the site.
On September 29, CBD sent notice to several states’ attorneys general specifying that two data breaches had occurred “from March 30, 2020, through May 8, 2020, and May 14, 2020, through May 18, 2020,” the suit relays.
Per the case, the “scraped” information included customers’ names, addresses, email addresses, payment card numbers, CVV security codes, credit card expiration dates and bank account numbers.
In data breach notices sent to affected customers days after the companies’ stockholders were notified, the defendants offered only 12 months of “identity monitoring” and failed to “admit to improving or securing their ecommerce platform,” much less provide any details of their investigation into the security events, the suit says.
The case asserts that CBD customers’ private information “is likely for sale on the dark web” to criminals who intend to use the information to commit fraud and steal customers’ identities.
“This means that the Data Breaches were successful,” the complaint states, adding that the defendants should have been prepared to defend against security breaches given the FBI issued a warning in October 2019 “about this exact type of fraud” and how companies could combat it.
According to the suit, the breaches occurred as a result of CBD’s failure to implement reasonable security procedures and practices appropriate to the nature of the information they collected from customers.
Both of the plaintiffs, who each purchased products from the defendants’ website, claim they experienced fraud as a result of the data breaches. While one plaintiff had over $1,300 transferred from his checking account by an unauthorized party, the other was forced to stop a $452.54 charge on his debit card at a Best Buy in another city, according to the complaint. The plaintiffs say they’ve been forced to spend time dealing with the consequences of the data breach and are “very concerned” about the potential for more fraudulent activity and identity theft in the future.
Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s newsletter here.
Before commenting, please review our comment policy.