Mailchimp, Intuit Email Info and Cryptocurrency Theft Class Action

This class action concerns a data breach that took place via a phishing scam, and a subsequent theft of cryptocurrency. It brings suit against Mailchimp (officially, Rocket Science Group, LLC) and its parent company Intuit, Inc., on whose platform Mailchimp’s information was stored. The complaint alleges that the cyberattack was facilitated by a Mailchimp or Intuit employee who was taken in by a phishing scam and clicked on a malicious link.

The class for this action is all persons living in the US who received the unauthorized April 2, 2022 Trezor-branded email purportedly informing them of a data security incident and who lost cryptocurrency as a result thereof.

Also involved in this case are two Czech companies, Trezor Company s.r.o. and SatoshiLabs s.r.o. They sell a hardware wallet for cryptocurrency called a Trezor. These wallets allow people to store their cryptocurrency offline until they are ready to sell or spend it. According to the complaint, the “Trezor further provides an internet-based portal called the Trezor Suite, which allows users to access their cryptocurrency wallet and make transactions with cryptocurrency.”

The complaint alleges that the Trezor mailing list was “negligently stored” by Mailchimp on the Intuit platform. According to the complaint, “[t]he hackers were able to access the Trezoe email list (and likely other sensitive information) through Mailchimp and/or Intuit employee accounts. Indeed, Defendants confirmed that hackers used an internal employee tool to steal data from more than 100 of their clients—with the data being used to mount phishing attacks on the users of cryptocurrency services.”

On April 2, 2022, the hackers then sent Trezor customers an email, the complaint alleges, “stating, in relevant part, that their data had been compromised and that they cryptocurrency was ‘at risk of being stolen.’” It directed them to a fake version of Trezor’s website, at a URL that looked the same as Trezor’s but included a barely-noticeable underdot under the “e” in “Trezor,” where they were told to download a new version of the Trezor Suite desktop app.

In doing this, the complaint alleges, they were actually “giving the hackers access to users’ crypto wallets and most importantly, recovery seeds. Such credentials would give hackers plenary control of a user’s Trezor Suite account and the cryptocurrency contained within the offline wallets associated with these accounts.”

The plaintiff in this case, Alan Levinson, was one of the victims of this scam, reportedly losing some $82,000 worth of cryptocurrency.

The complaint alleges that the scheme “was predicated on knowledge of the email addresses of the Trezor platform users” which they gained access to by breaching the systems of Mailchimp and Intuit.

The complaint claims that Mailchimp and Intuit “intentionally, willfully, recklessly, or negligently fail[ed] to take adequate and reasonable measure to ensure that its data system were protected…” It also claims that the “personal information was improperly handled and stored and was not kept in accordance with applicable, required, and appropriate cyber-security protocols, policies, and procedures.”

Article Type: Lawsuit
Topic: Privacy
Tags: Your Privacy