in Newswire Published on July 15, 2020

Class Action: Millions of Walmart Accounts Offered for Sale on Dark Web Due to Website Vulnerabilities [UPDATE]

by Corrado Rizzi

Last Updated on October 8, 2021

View Comments

Gardiner v. Walmart Inc.

Filed: July 10, 2020 § 4:20-cv-04618

Read Complaint

A class action alleges "severe vulnerabilities" found in Walmart's websites have allowed hackers to access customers' personal information.

Defendant(s)

Walmart, Inc.

Law(s)

California Consumer Privacy Act

State(s)

California

Categories

Retail Privacy Data Breach

Case Updates

October 8, 2021 – Lawsuit Dismissed

The lawsuit detailed on this page was dismissed after a federal judge found that Walmart’s allegedly unlawful conduct with respect to the plaintiff occurred before the California Consumer Privacy Act (CCPA) went into effect.

According to a July 28, 2021 order, the plaintiff contended in his original complaint that he had discovered his personal information was up for sale on the dark web in 2019. For his CCPA claim to survive, however, the data breach would have had to occur on or after January 1, 2020, the law’s effective date, the order states.

While the plaintiff later submitted a deposition in which he claimed the date was “clearly the result of a scrivener’s error” and that he had really discovered that his data was up for sale on June 9, 2020, U.S. District Judge Jeffrey S. White was unconvinced.

“The Court’s previous Order put Plaintiff on notice that his CCPA claim could not survive absent allegations that the violation occurred on or after January 1, 2020. Following that Order, it is not credible that this allegation, which is central to Plaintiff’s CCPA claim, is the result of a typo or misunderstanding,” the judge wrote.

Moreover, given the plaintiff used the same “‘drafting error’ tactic” to avoid other “problematic allegations” in the original complaint, his claim in this context is “even less credible,” Judge White stated.

The judge also dismissed the rest of the plaintiff’s claims, finding that the man had not sufficiently alleged that his personal information had lost value as a result of the breach and that he faced a risk of future harm, especially given his allegedly compromised credit cards had expired.

The lawsuit was dismissed with prejudice, meaning the plaintiff has been given no chance to re-file.

March 5, 2021 – Lawsuit Dismissed with Leave to Amend

The judge overseeing the case detailed on this page has granted Walmart’s motion to dismiss while giving the plaintiff leave to amend his suit.

According to a March 5 order, U.S. District Judge Jeffrey S. White ruled that the plaintiff’s California Consumer Protection Act (CCPA) claim cannot stand because the plaintiff failed to allege that Walmart’s violations occurred before January 1, 2020, when the CCPA went into effect.

Moreover, the complaint did not sufficiently allege that the plaintiff’s “personal information” was disclosed, the judge wrote. Though the plaintiff generally referred to “financial information” being disclosed in a data breach, he did not allege the disclosure of a credit or debit card or account number along with the required security or access code, according to the order.

“Although the Court will draw reasonable inferences in Plaintiff’s favor at this stage, it cannot read missing allegations into the complaint,” the judge wrote.

The judge also dismissed the plaintiff’s claims for negligence, breach of contract, and violations of California’s Unfair Competition Law, ruling that the plaintiff failed to sufficiently allege injury to support his remaining claims.

More specifically, the judge wrote that the plaintiff failed to show that he suffered injury due to loss of value of his personally identifiable information, future risk of identity theft, out-of-pocket expenses for necessary credit monitoring services and loss of the benefit of his bargain.

The judge has allowed the plaintiff 21 days to amend his complaint.

The full dismissal order can be read here.

A proposed class action alleges millions of Walmart accounts—and the information therein—have been offered for sale on the dark web as a result of “severe vulnerabilities” with the mega-retailer’s website.

The plaintiff, a San Francisco resident, claims his Walmart account is currently up for sale on the dark web after being “accessed by hackers” during an undisclosed data breach within the last four years. Information allegedly compromised in the breach included Walmart account holders’ full names, addresses, financial details, credit card information and other private data. 

According to the 32-page complaint, myriad vulnerabilities with Walmart’s website are to blame for hackers being able to attack the retailer’s computer systems directly and access, harvest and put up for sale millions of customer accounts. The lawsuit claims Walmart “has been the target of many successful hacks” given the dark web is “replete” with stolen customer accounts. 

Per the case, a scan of Walmart’s website domains using Open Web Application Security Project Zed Attack Proxy (OWASP ZAP), a widely used tool for scanning websites for security weaknesses, found at least six major vulnerabilities, including: 

  • Seven instances in which IP addresses were being disclosed in the public website code, which may contribute to an attack on Walmart’s systems;
  • Forty-four instances of password autocomplete enabled, which could make matters easier for a hacker looking to breach a user’s account or aid password-extracting malware;
  • The cookie “No HttpOnlyFlag” being set, which can be accessed by malware and used to conduct session hijacking attempts on customer computers;
  • More than 8,600 instances in which cross-site scripting (XSS) was not enabled, a “very serious issue,” the lawsuit says, that could leave a site vulnerable to attacks on areas that see a high level of user interaction;
  • More than 100,000 instances of Cross Doman JavaScript source file inclusion, which could also allow a hacker to perform cross-site scripting and insert malicious JavaScript; and
  • More than 93,000 instances of a cookie without the secure flag being set, which can enable cookies to be accessed through an unencrypted connection.

Subsequent scans of Walmart’s online properties, including its grocery site, using high-grade vulnerability scanners—such as the Nessus scanner—revealed numerous other vulnerabilities that could expose customers’ sensitive data, the lawsuit adds. 

In all, Walmart has failed to implement and maintain reasonable security procedures and practices to safeguard the personal data of customers, the plaintiff alleges, adding that the retailer has “failed whatsoever to notify its customers that their data has been stolen.” From the case:

“As a direct and proximate result of Defendants’ wrongful actions and inaction and the resulting data breach, Plaintiff and Class Members have been placed at an imminent, immediate, and continuing risk of harm from identity theft and identity fraud, requiring them to take the time and effort to mitigate the actual and potential impact of the subject data breach on their lives by, among other things, placing ‘freezes’ and ‘alerts’ with credit reporting agencies, contacting their financial institutions, closing or modifying financial accounts, and closely reviewing and monitoring their credit reports and accounts for unauthorized activity.” 

The lawsuit looks to cover all California residents who had a Walmart account at any time within the last four years.

Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s newsletter here.

This browser does not support PDFs. Please download the PDF to view it: Download PDF.
Open Document
Last Updated on October 8, 2021 — 4:17 PM

Corrado Rizzi

corrado@classaction.org

Corrado Rizzi is the Senior Managing Editor of ClassAction.org.

About ClassAction.org

ClassAction.org is a group of online professionals (designers, developers and writers) with years of experience in the legal industry.

Learn More

Before commenting, please review our comment policy.