Metromile Hit with Class Action After Online ‘Bug’ Causes Data Breach Affecting 100K+ Customers

New to ClassAction.org? Read our Newswire Disclaimer

Metromile, Inc. faces a proposed class action over an alleged five-month data breach in which the personal information of more than 100,000 of the pay-per-mile auto insurance company’s customers was reportedly compromised. 

According to the 33-page lawsuit, Metromile began notifying customers and state attorneys general on March 5, 2021 that a data breach had occurred between July 2020 and January 2021. During the incident, which the company said stemmed from a “bug” with an online quote form, hackers obtained from Metromile more than 100,000 customers’ “personally identifiable information,” including driver’s license numbers, the case says. 

Although it claimed in its data breach notice to have promptly and thoroughly taken steps to address the incident upon its discovery, Metromile waited almost two months to notify affected consumers and failed to relay any specifics of the true scope of the incident, the lawsuit asserts. 

The complaint alleges San Francisco-headquartered Metromile’s customers’ personal data was compromised as a result of the company’s negligent and/or careless failure to adequately monitor its systems and protect the information, which the suit stresses “has great value to hackers” and leaves those affected at a heightened risk of identity theft and fraud for the foreseeable future. The filing contends that criminals have already used the information stolen from Metromile to attempt to steal proposed class members’ identities. 

Per the case, a recent Securities and Exchange Commission filing from Metromile expanded on the apparent source of the data breach:

“Metromile discovered a cybersecurity incident arising out of a software bug related to its online pre-filled quote form and application process. Based on its initial investigation, Metromile determined that unknown persons exploited the software bug to obtain person [sic] information of certain individuals, including individuals’ driver’s license numbers of certain individuals [sic][.]” 

Customer information compromised in the breach includes not only driver’s license numbers but full names, addresses, phone and Social Security numbers, email addresses, dates of birth, gender specifics, marital statuses and vehicle data, the case relays. The foregoing information is collected by Metromile in the process of providing prospective customers with quotes for car insurance, the suit says, noting the company “promises to provide confidentiality and security for personal information.” 

The lawsuit contends that Metromile was obligated by contract, industry standards, common law and representations made to consumers to protect the personally identifiable information in its care from unauthorized access and disclosure. Metromile was well aware of the risks of a data breach, in particular given the substantial uptick in cyberattacks and/or data breaches within the banking, credit and financial sectors in recent years, the suit relays.

“Plaintiff and members of the Class now currently face years of constant surveillance and monitoring of their financial and personal records and loss of rights,” the case reads. “The Class are incurring and will continue to incur such damages in addition to any fraudulent use of their PII.” 

The complaint alleges Metromile, to date, has “done absolutely nothing” to provide those affected by the data breach with relief for the damages they’ve incurred. The company has offered only two years of “inadequate identity protection credit monitoring services,” the suit says, noting that “it is unclear whether that credit monitoring was only offered to certain affected individuals (based upon the type of data stolen), or to all persons whose data was compromised in the Data Breach.” 

The plaintiff, a Rockland County, New York resident, claims to have received in the wake of the Metromile data breach notice from the state’s Department of Labor that an unauthorized party filed a claim for unemployment insurance benefits using his identity. The New York DOL notice reportedly stated that “[w]e believe that someone, using identity information stolen from you either recently or in the past, attempted to file this claim,” and noted that it may have been due to a prior data breach at another institution. 

Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s free weekly newsletter here.