FabFitFun Subscription Box Data Breach Class Action

FabFitFun, Inc. is known for its subscription box, a selected collection of items for beauty, fashion, wellness, fitness, home, and technology that it sends out four times a year. Subscribers pay $50 per season or $180 per year. However, the complaint for this class action alleges that it does not adequately protect customer information, pointing to the data breach it suffered in 2020.

The Nationwide Class for this action is all individuals whose personal identifying information (PII) was exposed in the data breach announced by the company on September 18, 2020. A Colorado Subclass has also been defined, as all persons in the above group living in Colorado.

FabFitFun’s Privacy Policy, as quoted in the complaint, promises, “We take reasonable and appropriate measures to help keep information secure and to help prevent it from becoming disclosed.”

What this does not promise, the complaint points out, is that the company follows the Payment Card Industry Data Security Standard (PCI DSS), which the complaint calls a “requirement for businesses that store, process, or transmit payment card data.” The PCI DSS, it says, “defines measures for ensuring data protection and consistent security processes and procedures around online financial transactions.”

In the course of a transaction at the website, customers enter their names, addresses, payment card number, payment card expiration date, and payment card CVV security code.

The plaintiff in this case, Cheryl Gaston, bought a FabFitFun subscription on May 7, 2020. The data breach took place from April 26to May 14, 2020, and May 22to August 3, 2020. Gaston only received the company’s notice about the data breach on September 29, 2020.

FabFitFun claims that its technical team found out about the data breach on August 7, 2020. It claimed that cybercriminals had inserted malicious code to “scrape” information customers entered on the site. The complaint says that FabFitFun “claims it removed the malicious code and took steps to secure its website with the help of forensic cybersecurity experts engaged to assist with the investigation.”

Still, it did not start telling state attorneys general or the people who were affected until around September 18.

The complaint claims that the company “failed to use encryption to protect sensitive information transmitted online…” It claims that this type of scraping attack has been known for a long time, implying that FabFitFun should therefore have been on notice to be alert to and prepared for such attacks.

Article Type: Lawsuit
Topic: Privacy

Most Recent Case Event

FabFitFun Subscription Box Data Breach Complaint

October 16, 2020

FabFitFun, Inc. is known for its subscription box, a selected collection of items for beauty, fashion, wellness, fitness, home, and technology that it sends out four times a year. Subscribers pay $50 per season or $180 per year. However, the complaint for this class action alleges that it does not adequately protect customer information, pointing to the data breach it suffered in 2020.

FabFitFun Subscription Box Data Breach Complaint

Case Event History

FabFitFun Subscription Box Data Breach Complaint

October 16, 2020

FabFitFun, Inc. is known for its subscription box, a selected collection of items for beauty, fashion, wellness, fitness, home, and technology that it sends out four times a year. Subscribers pay $50 per season or $180 per year. However, the complaint for this class action alleges that it does not adequately protect customer information, pointing to the data breach it suffered in 2020.

FabFitFun Subscription Box Data Breach Complaint
Tags: Exposing Private Information, Exposure to cyber crime, Your Privacy