Two Samsung Data Breaches in 2022 Class Action

Samsung Electronics America, Inc. sells millions of electronic items each year. Customers must often provide data to the company to get full use of the devices they buy, and Samsung claims to understand the need for strong security measures. Nevertheless, the complaint alleges that Samsung failed to take adequate measures to prevent the compromise of the personally identifiable information (PII) it stored and suffered not one but two data breaches.

A class and two subclasses have been defined for this action:

• The Class is all persons who bought or used Samsung products and services in the US and whose PII was accessed, compromised, or stolen in the data breach announced by Samsung on September 2, 2022.
• The California Subclass is all persons who bought or used Samsung products and services in California and whose PII was accessed, compromised, or stolen in the data breach announced by Samsung on September 2, 2022.
• The Michigan Subclass is all persons who bought or used Samsung products and service in Michigan and whose PII was accessed, compromised, or stolen in the data breach announced by Samsung on September 2, 2022.

When the plaintiff in this case bought Samsung products, they were required to register them with Samsung in order to have full use of them. One bought two Samsung printers, in 2015 and 2018, and the complaint alleges that he had to create a Samsung account and enter his information in order to have access to the printer drivers and application for Mac OS. The other bought a smart TV and was required to create an account with her information to access its features.

Samsung claims to value its customers’ privacy and security. For example, the complaint quotes a 2018 Samsung website article entitled “Our approach to privacy” as saying, “Samsung has developed a defense-grade security solution called Knox that is built into the architecture of our products. Data that you store in Knox is shielded by one of the highest levels of encryption currently available.”

Nevertheless, Samsung experienced not one but two data breaches. In April 2022, the complaint alleges, an organization called Lapsus$ stole Samsung data and published 190 GB of it online. The complaint alleges that Samsung minimized this security breach, even though Lapsus$ had stolen important sources, algorithms, and source code.

“Despite this earlier breach and full knowledge of the exposed sensitive technical data,” the complaint alleges, Samsung “utterly failed to adequately secure its systems, and allowed another breach to occur, this time compromising consumer PII.”

The complaint alleges that the second data breach took place in July 2022 but that Samsung did not detect it until around August 4 and did not announce it until September 2. The complaint claims, “To date, [Samsung] fails to explain the scope of this breach, or notify all affected customers.”

According to the complaint, the plaintiffs have received a large volume of phishing emails and spam telephone calls, seeking to trick them into providing more personal information to scammers.

Article Type: Lawsuit
Topic: Privacy
Tags: Exposing Private Information, Exposure to cyber crime, Your Privacy