Dolly Delivery Service Failed to Protect Private Data from Cyberattack, Class Action Claims

New to ClassAction.org? Read our Newswire Disclaimer

A proposed class action accuses Dolly, Inc. of failing to protect the personal data of current and former employees, independent contractors and customers during a cyberattack announced in November 2023.

Want to stay in the loop on class actions that matter to you? Sign up for ClassAction.org’s free weekly newsletter here.

According to a November 2 notice letter sent to victims, the Seattle-based on-demand delivery service discovered on August 26 of last year that it had experienced a “potential security event.” A subsequent investigation determined that an unauthorized third party had gained access to the company’s network and obtained certain files containing individuals’ private information, the notice shares.

The 36-page lawsuit claims that the cyberattack exposed a “far greater range” of personal data than what Dolly disclosed in the notice, which lists that only individuals’ names and Social Security numbers were potentially compromised. The suit alleges that the highly sensitive information exposed in the ransomware attack may have also included addresses, phone numbers, dates of birth, ages, genders, email addresses, debit and credit card details, account login data, registration dates and computer system information.

The case contends that Dolly, which operates in 45 cities across the country, failed to implement reasonable data security safeguards and train its employees in cybersecurity protocols. The company’s alleged negligence put the private information in its care in a “vulnerable position” and made it an “easy target[] for cybercriminals,” the complaint charges.

“It is unknown for precisely how long the cybercriminals had access to [Dolly’s] network before the breach was discovered,” the filing says, arguing that the defendant “had no effective means to prevent, detect, stop, or mitigate breaches of its systems,” which allowed criminal actors “unrestricted access” to the company’s stored data.

What’s more, although Dolly claims to have learned of the incident in late August 2023, it waited until early November to begin notifying victims, the lawsuit states. This delay deprived impacted individuals of the chance to take steps to mitigate the harms caused by the data breach, the suit asserts.

The case notes that data thieves have since leaked victims’ personal information on the dark web. Victims like the plaintiff, a former Dolly employee residing in Wisconsin, now face an ongoing risk of identity theft or fraud as a result of the company’s negligence, the complaint contends.

The lawsuit looks to represent anyone in the United States whose private information was compromised in the data breach discovered by Dolly in August 2023, including individuals who received notice of the incident.

Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s free weekly newsletter here.