Minted Faces Proposed Class Action Lawsuit Over May 2020 Data Breach [UPDATE]
by Erin Shaak
Last Updated on September 26, 2024
Atkinson et al. v. Minted, Inc.
Filed: June 11, 2020 ◆§ 3:20-cv-03869
Minted faces a class action that claims its “inadequate security systems” allowed a hacking group to access customers’ personal information in a May 2020 data breach.
California
Case Updates
July 6, 2021 – Minted Data Breach: $5M Settlement Website Is Live
Did you receive an email about the Minted data breach settlement? If so, you should know that the notice is legit, as the settlement received preliminary approval from a judge in May. Here are the specifics.
Want settlement news like this sent to your inbox? Sign up for ClassAction.org’s free weekly newsletter here.
The official Minted data breach settlement website is:
https://www.mintedsettlement.com/
The proposed settlement, approved by U.S. District Judge Vince Chhabria on May 14, 2021, covers all United States residents who had a Minted, Inc. online account, or provided Minted their name, email address, street address and/or other personal information via email, the Minted website, or other online communication on or before June 27, 2020.
To file a claim, head to this page an enter the claimant code included in your email notice: https://www.mintedsettlement.com/Online
The deadline by which to file a claim is September 16, 2021. The only way to receive payment or credit services from the settlement is to file a claim. If you do nothing, you will receive nothing.
Those covered by the settlement, called “class members,” who submit valid claims will be able to receive direct payments of approximately $43 (depending on how many claims are filed) and two years of credit monitoring and identity restoration services. As part of the settlement, Minted has also agreed to implement additional cybersecurity measures to help protect the information stored in its database.
The court has not decided in favor of either party. A final fairness hearing for the settlement is slated for December 2, 2021.
To contact the settlement administrator, head to this page, or call 1-877-777-9145.
Minted, Inc. faces a proposed class action in which two consumers claim the online marketplace’s “inadequate security systems” allowed a hacking group to access customers’ personal information in a May 2020 data breach.
In a May 28 notice to customers, the defendant, an online marketplace for “crowd sourced” goods made by independent artists, disclosed that it “became aware” on May 15 of a report that listed Minted as one of at least 10 other companies impacted by a cybersecurity incident, the lawsuit says. According to the case, a hacking group known as Shiny Hunters attempted to sell on the dark web on May 6 more than 73.2 million records containing the personally identifiable information (PII) of 11 different companies’ customers, including five million who shopped on Minted.
Minted has acknowledged that the compromised information included a combination of customer names, email addresses, “hashed” or “salted” passwords and, in some cases, telephone numbers and billing and shipping addresses, the lawsuit states. Though the company has said it has “no reason to believe that … payment or credit card information, address book information, photos or personalized information” were breached, the case argues that Minted has neither confirmed that these data were not disclosed nor informed customers of the basis for its belief that the information was not compromised.
“It is now more than one month since the Data Breach occurred, and Minted’s stated position is, in effect, that it is still unsure just how much of its customers’ PII was hacked,” the complaint scathes.
The lawsuit claims Minted failed to maintain adequate security measures as required by the newly enacted California Consumer Privacy Act of 2018 (CCPA), which went into effect on January 1, 2020. According to the suit, the “hashed” or “salted” passwords compromised in the breach were not necessarily encrypted, meaning they “can be accessed and used even while […] redacted with different levels of utility based on how much manipulating of the data is done to protect privacy.” At a minimum, the information disclosed in the breach could allow “sophisticated hackers” such as the Shiny Hunters to access customers’ online accounts, the case argues.
According to the lawsuit, Minted knew or should have known that its lax security protocols put customers at risk of having their information disclosed to unauthorized third parties yet failed to take reasonable steps to protect the data. As the complaint puts it:
“Minted maintains a business that operates exclusively online and collects hundreds of millions of dollars from online customers each year; it has the resources to adopt reasonable protections and should have known to do so.”
The case goes on to slam Minted for its failure to detect the breach, noting that the company only learned of the incident after it was disclosed in a public report. If the defendant had implemented proper breach detection protocols, the company would have detected the hack and alerted customers “much sooner,” the suit says.
According to the case, the data breach was a “reasonably foreseeable consequence” of Minted’s inadequate security systems and has placed customers’ at an ongoing risk of identity theft and fraud. Despite the impact of the breach on customers, the defendant has failed to offer credit monitoring services or other mitigation measures “beyond what is available to the public,” the complaint says.
The lawsuit looks to cover anyone nationwide whose personally identifiable information was compromised in the May 2020 Minted data breach, with a proposed class of California residents.
Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s newsletter here.
Before commenting, please review our comment policy.