Ruger Responsible for 17-Month Data Breach, Class Action Alleges
Last Updated on November 1, 2022
Jones v. Sturm, Ruger & Company, Inc.
Filed: October 4, 2022 ◆§ 3:22-cv-01233
A class action claims Ruger failed to properly safeguard consumers’ personal information and payment card data, resulting in a 17-month data breach.
A proposed class action claims firearm manufacturer Ruger failed to properly safeguard consumers’ personally identifiable information and payment card data, resulting in a 17-month data breach from 2020 to 2022.
The 36-page case alleges defendant Sturm, Ruger & Company failed to protect the information consumers provided when making purchases on ShopRuger.com. As a result, cybercriminals were able to access proposed class members’ sensitive data from September 2020 to February 2022, the filing contends.
The complaint argues that the cyberattack persisted for 17 months because Ruger failed to perform adequate security reviews of its website. Additionally, Ruger did not alert affected individuals or various state attorneys general until August 2022, seven months after the malware behind the attack was removed by the website’s third-party host, Freestyle Solutions, the case asserts.
Per the filing, the unencrypted data was stolen directly from Ruger’s checkout page, and included consumers’ names, shipping and email addresses, credit or debit card information, products that were bought and the price, and the number of items purchased.
As the case tells it, Ruger’s failure to implement adequate cybersecurity measures was “particularly egregious” because customers were purchasing firearm accessories.
“Criminals can now access their Private Information which includes the nature of their purchases and their shipping and billing addresses. With this information criminals can target the homes of firearm owners to steal firearms that they cannot obtain through legal channels.”
According to the lawsuit, Ruger “knew or should have known” that its website was at risk of being targeted by cybercriminals based on recent data breaches at other industry-leading companies. Precautionary reports from the FBI and U.S. Secret Service warned companies to take appropriate measures to prevent cyberattacks, the case relays.
The filing argues that Ruger went against industry-wide security standards by not investing in technology to encrypt payment card information at the point of sale. As a result, hackers were able to capture unencrypted data the moment customers made their purchases, the case alleges. The complaint contends that Ruger’s failure to protect consumers’ data is a breach of the company’s privacy policy, which promises to take “commercially reasonable steps to help protect and secure the Personal Information we collect.”
The complaint stresses that data breach victims have “suffered real and imminent harm” due to Ruger’s failure to safeguard their sensitive information and its delayed detection and disclosure of the cyberattacks.
“There is a strong probability that entire batches of stolen payment card information have been dumped on the black market or are yet to be dumped on the black market, meaning Plaintiff and Class Members are at an increased risk of fraud for many years into the future. Thus, Plaintiff and Class Members must vigilantly monitor their financial accounts for many years to come.”
The lawsuit looks to represent anyone who was impacted by the Ruger data breach between September 2020 and February 2022, including anyone who was sent a notice of the data breach in August 2022.
Want to stay in the loop on class actions that matter to you? Sign up for ClassAction.org’s free weekly newsletter here.
Hair Relaxer Lawsuits
Women who developed ovarian or uterine cancer after using hair relaxers such as Dark & Lovely and Motions may now have an opportunity to take legal action.
Read more here: Hair Relaxer Cancer Lawsuits
Stay Current
Sign Up For
Our Newsletter
New cases and investigations, settlement deadlines, and news straight to your inbox.
Before commenting, please review our comment policy.