Pawn America, Payday America, PAL Card Minnesota Hit with Class Action Over Data Breach
by Erin Shaak
Murillo v. Pawn America Minnesota, LLC et al.
Filed: November 29, 2021 ◆§ 0:21-cv-02574
A class action alleges Pawn America and its associates are to blame for a data breach in which private customer information was stolen by cybercriminals.
Minnesota
A proposed class action alleges Pawn America Minnesota, LLC; Payday America, Inc.; and PAL Card Minnesota, LLC are to blame for a September 2021 data breach in which private customer information was stolen by cybercriminals.
The 54-page lawsuit claims the “massive cyber-attack” exposed the names; Social Security, driver’s license, passport and government ID numbers; dates of birth; and financial account information of at least 530,000 consumers. Per the case, Pawn America, who operates 17 pawn shops in Minnesota and Wisconsin; Payday America, who offers short-term banking options; and PAL Card Minnesota, who offers prepaid payment cards under the trade name CashPass, are in part responsible for the breach given they maintained customer information “in a reckless manner” and stored it “in a condition vulnerable to cyberattacks of this type.”
The suit argues that the defendants’ failure to safeguard sensitive customer data has caused them to suffer “ascertainable losses,” including the loss of the value of their information and the benefit of their contractual bargain with the companies, not to mention out-of-pocket expenses and time spent attempting to mitigate the effects of the breach. Moreover, those affected by the incident now face a future risk of identity theft and fraud given their data is “now in the hands of data thieves,” the case says.
The lawsuit relays that the defendants first detected a problem on September 28, 2021, when they began experiencing outages. Per the complaint, the companies discovered on October 3 that they had experienced a ransomware attack. The case alleges, however, that the defendants waited until at least October 25 to notify those whose information was compromised in the breach, with some victims not receiving notice until November.
According to the filing, customers’ data was stored on the defendants’ systems in an unencrypted format, and the companies acknowledged after the incident that they were working to “improve [their] security.” The case says the defendants failed to follow Federal Trade Commission guidelines and industry standards for data security.
Moreover, the defendants have allegedly failed to offer any sort of identity theft monitoring service or other kind of assistance to data breach victims aside from providing contact information for the Federal Trade Commission.
The lawsuit seeks to cover anyone in the U.S. whose personally identifiable information was compromised in the data breach discovered by the defendants around October 3, 2021.
Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s newsletter here.
Hair Relaxer Lawsuits
Women who developed ovarian or uterine cancer after using hair relaxers such as Dark & Lovely and Motions may now have an opportunity to take legal action.
Read more here: Hair Relaxer Cancer Lawsuits
How Do I Join a Class Action Lawsuit?
Did you know there's usually nothing you need to do to join, sign up for, or add your name to new class action lawsuits when they're initially filed?
Read more here: How Do I Join a Class Action Lawsuit?
Stay Current
Sign Up For
Our Newsletter
New cases and investigations, settlement deadlines, and news straight to your inbox.
Before commenting, please review our comment policy.