US Bank Theft of Server and “Massive” Data Breach California Class Action

US Bank, NA (USB) is a subsidiary of US Bancorp, a financial service holding company. Last summer, USB experience what the complaint calls a “massive data breach” that exposed or exfiltrated a large amount of personally identifying information (PII). The complaint for this class action claims that “USB maintained the highly sensitive PII in a form that was neither encrypted nor redacted” and alleges that USB bears responsibility for the data breach.

The class for this action is all USB customers who live in California whose PII was compromised or accessed in the data breach, which the Notice of Data Breach issued by USB says happened on or about July 30, 2020.

USB is a large bank which may have gross revenues of more than $250 million. Because it collects the PII of customers, it has a duty to protect that information.

Unusually, the Notice of Data Breach sent out by USB reports that a server containing information “was physically stolen from one of [USB’s] corporate offices.” The complaint says that “nonredacted and nonencrypted PII of its customers that was stored on that server was accessed and compromised.” The theft happened sometime around July 30, 2020; however, the it also says that USB did not notify the customers whose information was compromised until early September.

The information exposed includes names, account numbers, and Social Security numbers.

The plaintiff in this case, Robert Maag, is a customer of USB, living in San Diego County, California. According to the complaint, the data breach “resulted in an invasion of his privacy interests [and] loss of value of his PII, and has placed him at imminent, immediate, and continuing risk of further identity theft-related harm.” Maag has had to pay for credit-monitoring services to try to lessen the harm that he may be exposed to because of the data breach.

According to the complaint, similar large data breaches have been in the news in recent years, and USB should have considered data breaches as a known risk of its business and taken adequate steps to protect against it.

The complaint alleges, “Upon information and belief, USB breached its standard of care by failing to implement reasonable security procedures to adequately protect Class Members’ PII—which was not password protected, redacted or encrypted—from data breaches. Data breaches, such as this one, are commonly made possible through a vulnerability in a system or server.”

The counts include negligence and violation of the California’s Consumer Privacy Act and its Unfair Competition Law.

Article Type: Lawsuit
Topic: Privacy

Most Recent Case Event

US Bank Theft of Server and “Massive” Data Breach California Complaint

January 8, 2021

US Bank, NA (USB) is a subsidiary of US Bancorp, a financial service holding company. Last summer, USB experience what the complaint calls a “massive data breach” that exposed or exfiltrated a large amount of personally identifying information (PII). The complaint for this class action claims that “USB maintained the highly sensitive PII in a form that was neither encrypted nor redacted” and alleges that USB bears responsibility for the data breach.

US Bank Theft of Server and “Massive” Data Breach California Complaint

Case Event History

US Bank Theft of Server and “Massive” Data Breach California Complaint

January 8, 2021

US Bank, NA (USB) is a subsidiary of US Bancorp, a financial service holding company. Last summer, USB experience what the complaint calls a “massive data breach” that exposed or exfiltrated a large amount of personally identifying information (PII). The complaint for this class action claims that “USB maintained the highly sensitive PII in a form that was neither encrypted nor redacted” and alleges that USB bears responsibility for the data breach.

US Bank Theft of Server and “Massive” Data Breach California Complaint
Tags: Exposing Private Information, Exposure to cyber crime, Your Privacy