After a high-profile data breach forced eBay to ask its customers to reset their passwords and following criticism of how it responded to the breach, the internet company is being taken to court as part of a class-action suit.
Louisiana resident Collin Green filed a consumer privacy class-action suit in U.S. District Court for the Eastern District of Louisiana on Wednesday, accusing the internet company of failing to secure private information.
Noting that eBay “holds personal information of is more than 120 million active customers in electronic files it declares ‘secure’,” the complaint says because the company didn’t protect it properly it “has caused, and is continuing to cause, damage to its customers.”
The suit provided a litany of information that eBay collects and stores — from credit card, shipping and geo-location data to statistics on page views, mobile phone numbers and community discussions — that could be used for identity theft, though the plaintiff admitted to being “unsure how much, if any, of these additional highly detailed classes of personal information were also stolen due to eBay’s failures.”
The complaint also chided eBay for revealing the breach May 21 months after it occurred (in February or March) and only after it had been widely reported.
Noting that the company was well aware, as it stated in its 2014 10-Q SEC, that it was “subject to online security risks, including security breaches,” and was well aware of reporting requirements, the plaintiff claims that eBay did not only failed to protect data but withheld customer notification in an attempt to avoid negative market perception and damage to its bottom line.
“eBay’s profit-driven decision to withhold the fact of its security lapse further damaged the class members who were prevented from immediately mitigating the damages from the theft,” the suit said.
Green is suing eBay for negligence, violation of the Federal Stored Communications Act and Louisiana’s breach notification law as well as those of other states, breach of contract and breach of implied contract.
The suit also charges eBay with breach of fiduciary duty, bailment, and violation of the Gramm-Leach-Bliley Act as well as the federal Fair Credit Reporting Act and is asking for class-action certification, compensatory and consequential damages as well as attorney fees.
In May, eBay posted a FAQ saying that financial information, as well as Social Security numbers, Taxpayer Identification numbers and National Identification numbers, were not compromised. It asked customers to reset their passwords, which the company recently noted had an impact on its financials.
Despite second quarter financials that were on par or slightly better than predicted, eBay had a “challenging quarter” and took significant “body blows” CEO Jack Donahoe said during an evening earnings call last week, according to a report in SCMagazineUK.com.
Donahoe contended that the password reset, which drew criticism from some, had resulted in a decline in user activity that has yet to reach previous levels.