The San Francisco 49ers—officially known as 49ers Enterprises, LLC—is a National Football League team based in California. The complaint for this class action also calls it “a highly sophisticated business enterprise worth billions of dollars,” yet the complaint claims it somehow “neglected to take basic and necessary steps to ensure that the PII it collected from consumers and its employees was effectively protected against the foreseeable threat of a targeted data breach.”
The class for this action is all individuals living in the US whose PII was compromised in the data breach first announced by the 49ers on or around August 31, 2022. A California Subclass has also been defined for all those in the above class living in California.
The information kept on the 49ers’ servers, the complaint alleges, included names, Social Security numbers, payment card information, and also information about employees’ dependents’ PII and immigration statuses.
On or around February 6, 2022, an unknown party placed ransomware on the 49ers servers and was able to take over its computers for almost five days, at which time, the complaint alleges, the personally identifiable information (PII) in the servers was exposed. However, the 49ers did not tell the individual victims about the data breach at that time, but waited for more than a half a year, until August 2022, to announce the intrusion.
The complaint alleges, “By obtaining, collecting, using, and deriving a benefit from the PII … [the 49ers] assumed legal and equitable duties to those individuals to protect and safeguard that information from unauthorized access and intrusion and to timely notify” the victims of any data breach.
The information, the complaint claims, was not encrypted or redacted and “was compromised due to [the 49ers’] negligent and/or careless acts and omissions and its utter failure to protect the sensitive, non-public data it maintained for its own pecuniary benefit.”
Even when the Notice of the data breach was published, the complaint alleges, the victims were not told that the data breach was perpetrated by “a sophisticated ransomware gang known as Blackbyte or that Blackbyte had already published certain files that it exfiltrated during the data breach on the dark web.”
The complaint alleges that the organization did not use “reasonable security procedures and practices appropriate to the nature of the sensitive information” it was maintaining, such as encrypting it or deleting any information that was no longer needed.
The complaint claims that the 49ers did not follow the recommendations of the US Government, the US Cybersecurity & Infrastructure Security Agency, or the Microsoft Threat Protection Intelligence Team to protect the information it stores. It claims the data breach was foreseeable and could have been prevented.
Article Type: LawsuitTopic: Privacy
Most Recent Case Event
San Francisco 49ers Data Breach Complaint
December 22, 2022
The San Francisco 49ers—officially known as 49ers Enterprises, LLC—is a National Football League team based in California. The complaint for this class action also calls it “a highly sophisticated business enterprise worth billions of dollars,” yet the complaint claims it somehow “neglected to take basic and necessary steps to ensure that the PII it collected from consumers and its employees was effectively protected against the foreseeable threat of a targeted data breach.”
San Francisco 49ers Data Breach ComplaintCase Event History
San Francisco 49ers Data Breach Complaint
December 22, 2022
The San Francisco 49ers—officially known as 49ers Enterprises, LLC—is a National Football League team based in California. The complaint for this class action also calls it “a highly sophisticated business enterprise worth billions of dollars,” yet the complaint claims it somehow “neglected to take basic and necessary steps to ensure that the PII it collected from consumers and its employees was effectively protected against the foreseeable threat of a targeted data breach.”
San Francisco 49ers Data Breach Complaint