Wyze Labs Hit with Class Action Over Three-Week 2019 Data Breach Affecting 2.4 Million Customers

New to ClassAction.org? Read our Newswire Disclaimer

Wyze Labs, Inc. has been hit with a proposed class action lawsuit after suffering a data breach that exposed the sensitive information of 2.4 million customers to unauthorized parties for over three weeks in 2019. The case claims the defendant, which sells Wi-Fi-accessible cameras and sensors comparable to Nest and Ring products, failed to maintain adequate security systems despite promising to do so and, as a result, has subjected customers to an increased risk of identity theft.

The case out of Washington federal court comes nearly two months after cybersecurity firm Twelve Security revealed the existence of the breach in a blog post late last year. The article, published on December 26, stated that two of Wyze’s cloud-based databases were “left entirely open to the internet” and free for anyone to access since December 4. Contained in the databases, the lawsuit says, was 2.4 million customers’ sensitive information, including but not limited to usernames, email addresses, camera nicknames, device models, firmware information, Wi-Fi SSID (service set identifier) details, API tokens for iOS and Android, Alexa tokens and “a huge array of health information” about certain customers, ranging from height, weight, and bone density to daily protein intake.

The lawsuit argues that the security incident has exposed Wyze users to a heightened risk of identity theft and fraud for years to come. According to the case, Wyze specifically assured those who used its products—including the Wyze Cam wireless smart home camera, Wyze Cam Pan wireless smart home camera and Wyze Smart sensor—that their personal information would be protected and used only for intended purposes. Despite these promises, the company allegedly failed to properly secure customers’ data, leaving their sensitive information vulnerable to “an untold number of miscreants.”

The case claims the security incident has not only exposed users’ private information to unauthorized parties but has made it theoretically possible for their home security cameras to be accessed by “any individual anywhere in the world.” Mirroring the nightmarish allegations in a recent lawsuit filed against Ring, the complaint claims the live video feed of Wyze users could potentially be hacked and viewed using stolen API tokens or private certificate files for the devices. The suit argues that had Wyze complied with state and federal regulations, industry practices, and the common law in adopting even “basic security measures,” the company could have prevented the breach and protected customers.

In response to the breach, Wyze noted in a December 27 post on its website that the company has “always taken security very seriously” and is “devastated that we let our users down like this.” Since then, the company has posted various updates to its online forum detailing the actions it’s taken in response to the breach and even inviting users to voice any further suggestions.

The lawsuit seeks to cover anyone in the U.S. who purchased Wyze products “within the applicable statute of limitations periods.”