`
`Case 5:18-cv-07597-BLF Document 85 Filed 02/25/20 Page 1 of 61
`
`Franklin D. Azar (pro hac vice)
`Margeaux R. Azar (pro hac vice)
`FRANKLIN D. AZAR &
`ASSOCIATES, P.C.
`14426 East Evans Avenue
`Aurora, CO 80014
`Telephone:
`(303) 757-3300
`Facsimile:
`(720) 213-5131
`Email: azarf@fdazar.com
`Email: azarm@fdazar.com
`
`Paul R. Wood (pro hac vice)
`FRANKLIN D. AZAR &
`ASSOCIATES, P.C.
`6161 South Syracuse Way, Suite 200
`Greenwood Village, CO 80111
`Telephone:
`(303) 757-3300
`Facsimile:
`(720) 213-5131
`Email: woodp@fdazar.com
`
`Attorneys for Plaintiffs Erica Cooper and
`Jeri Connor
`
`Steven R. Weinmann (SBN 190956)
`Steven.Weinmann@capstonelawyers.com
`Tarek H. Zohdy (SBN 247775)
`Tarek.Zohdy@capstonelawyers.com
`Cody R. Padgett (SBN 275553)
`Cody.Padgett@capstonelawyers.com
`Trisha K. Monesi (SBN 303512)
`Trisha.Monesi@capstonelawyers.com
`CAPSTONE LAW APC
`1875 Century Park East, Suite 1000
`Los Angeles, California 90067
`Telephone:
`(310) 556-4811
`Facsimile:
`(310) 943-0396
`
`Attorneys for Plaintiff Alexander Huynh
`
`L. Timothy Fisher (SBN 191626)
`Joel D. Smith (SBN 244902)
`Blair E. Reed (SBN 316791)
`BURSOR & FISHER, P.A.
`1990 North California Blvd., Suite 940
`Walnut Creek, CA 94596
`Telephone: (925) 300-4455
`Facsimile: (925) 407-2700
`E-Mail: ltfisher@bursor.com
` jsmith@bursor.com
` breed@bursor.com
`
`
`Attorneys for Plaintiff Rick Musgrave
`
`
`UNITED STATES DISTRICT COURT
`NORTHERN DISTRICT OF CALIFORNIA
`
`
`ALEXANDER HUYNH, ERICA
`COOPER, JERI CONNOR, and RICK
`MUSGRAVE individually, and on behalf
`of a class of similarly situated individuals,
`
`
`
`Plaintiff,
`
`
`v.
`
`QUORA, INC., a Delaware corporation,
`
`
`
`Defendant.
`
`Case No.: 5:18-cv-07597-BLF
`
`Hon. Beth Labson Freeman
`
`CONSOLIDATED THIRD AMENDED
`CLASS ACTION COMPLAINT FOR:
`
`
`(1) Violations of Unfair Competition Law,
`California Business & Professions Code
`§ 17200 et seq.
`(2) Negligence
`(3) Breach of Confidence
`(4) Breach of Contract
`
`
`
`DEMAND FOR JURY TRIAL
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`
`
`
`
`CONSOLIDATED AMENDED CLASS ACTION COMPLAINT
`
`
`
`
`
`Case 5:18-cv-07597-BLF Document 85 Filed 02/25/20 Page 2 of 61
`
`Plaintiffs Alexander Huynh, Erica Cooper, Jeri Connor, and Rick Musgrave (“Plaintiffs”),
`by and through their counsel, allege the following against Quora, Inc. (“Defendant” or “Quora”)
`based upon the investigation of their counsel and information and belief, except as to those
`allegations specifically pertaining to themselves or their counsel, which are based upon personal
`knowledge:
`
`INTRODUCTION
`This case involves a matter of growing concern in modern culture, that of the
`1.
`security of personal data and information in an era of exponential technological expansion.
`Specifically, this is a class action lawsuit against Quora arising from its failure to safeguard the
`Personal Identifying Information (“PII”) of approximately 100 million Quora Users, of whom
`approximately 37 million are in the United States, in a malicious third-party attack on Quora’s
`internet technology (IT) systems (“the Incident,” or “the 2018 Data Breach”) that compromised
`those Users’ PII. The proposed Class is comprised of all persons who reside in the United States,
`who created an account with Quora, and whose personal or financial information was accessed,
`compromised, or stolen in the 2018 Data Breach (“Quora Users”).
`2.
`Launched in June 2010, Quora is a question-and-answer social media platform,
`where questions are asked, answered, edited, and organized by its community of Users. As of
`September 2018, Quora had a user audience of 300 million monthly unique Users, up from the 200
`million reported in 2017.1 Unlike comparable social media sites, however, Quora Users are
`perceived as more sophisticated in their use of the platform, with more in-depth discussions and
`qualified content.
`3.
`Quora requires its Users to provide PII to create an account via Defendant’s website
`or mobile phone application. Users reasonably expect Defendant to maintain strict confidentiality
`of the PII in Quora’s possession. Throughout the course of its business, Quora has collected and
`maintained an extensive amount of its Users’ personal information including, without limitation,
`
`1 See Ginny Marvin, With new funding & a growing userbase, Quora makes its pitch to
`advertisers, Marketing Land, Apr. 27, 2017, https://marketingland.com/quora-makes-pitch-to-
`advertisers-213185.
`
`Page 1
`CONSOLIDATED AMENDED CLASS ACTION COMPLAINT
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`
`
`Case 5:18-cv-07597-BLF Document 85 Filed 02/25/20 Page 3 of 61
`
`account and User information (e.g., name, email, IP, User ID, encrypted passwords, User account,
`settings, personalization data), public actions and content including drafts (e.g., questions, answers,
`comments, blog posts, upvotes), data imported from linked networks (e.g., contacts, demographic
`information, interests, access tokens), non-public actions (e.g., answer requests, downvotes,
`thanks), and non-public content (e.g., direct messages, suggested edits). However, Defendant
`failed, and continues to fail, to provide adequate protection of its Users’ personal and confidential
`information and has egregiously failed to provide sufficient and timely notice or warning of
`potential and actual cybersecurity breaches to its Users
`4.
`Quora essentially granted unauthorized third parties access to Plaintiffs’ and other
`Quora Users’ PII without compensating the Quora Users, who are the rightful owners of that
`information. The value of that information, in part derived from its privacy, should be exclusively
`controlled by Quora Users, which is precisely what Plaintiffs expected.
`5.
`In 2016, Quora introduced advertisements to its platform to generate revenue.
`Quora’s ability to sell advertisement space targeting specific markets based on demographics,
`geography, consumer habits, and online tendencies is what enables it to generate revenue and
`profits.
`6.
`The collection, storage, and examination of the PII which Users provided to Quora
`enables it to sell advertisement space which targets specific markets based on demographics,
`geography, consumer habits, and online tendencies.
`7.
`As part of its ongoing investigation, Quora revealed that its Users’ personal
`information was subject to a massive data security breach in November 2018, affecting
`approximately 100 million Quora Users’ PII, of whom approximately 37 million are United States
`residents. Quora released a statement on its blog on December 3, 2018, publicly exposing details
`of the 2018 Data Breach for the first time. According to the statement, Defendant learned of the
`data breach as early as November 30, 2018,2 but still has not yet directly informed or notified all
`Quora Users that their PII may be compromised as a result of the breach. Rather, Quora states that
`
`2 Adam D’Angelo, Quora Security Update, Quora.com, Dec. 3, 2018,
`https://blog.quora.com/Quora-Security-Update.
`Page 2
`CONSOLIDATED AMENDED CLASS ACTION COMPLAINT
`
`
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`
`
`
`
`
`
`Case 5:18-cv-07597-BLF Document 85 Filed 02/25/20 Page 4 of 61
`
`it began “logging out all Quora users” who may be affected and invalidating their passwords,
`without providing Users with any reason for being logged out and not being able to log back in. In
`fact, Quora is still “in the process of notifying users whose data has been compromised.”3
`8.
`Quora maintains a privacy policy that makes specific representations to its Users
`regarding its affirmative duty to protect Users’ PII, specifically informing them that they are in
`control of who has access to their PII and that Quora has implemented safeguards to protect their
`PII (“Privacy Policy”).
`9.
`According to Quora’s last public statement regarding the 2018 Data Breach, “the
`investigation is still ongoing” and they are still working “to gain a full understanding of what
`happened.”4 As of the time of the filing of this Complaint, Quora has still not released any
`information regarding which Users were impacted or what User PII was compromised to Plaintiffs,
`Quora Users, or to the public. Moreover, despite discovery requests served nearly one year ago,
`Quora has failed to provide any of that information to Plaintiffs in this lawsuit.
`10.
`As a result of Defendant’s failure to maintain adequate security measures and timely
`security breach notifications, Quora Users’ personal and private information has been
`compromised and remains vulnerable. Further, as a result of Quora’s failure to complete their
`investigation in a timely manner and/or provide information on precisely what Users were impacted
`and what PII was compromised, Users (including Plaintiffs) are in a position where they do not
`possess the information necessary to adequately protect themselves from future breaches, identity
`theft, or other fraud.
`11.
`The 2018 Data Breach was a successful attempt by a malicious third-party to steal
`the PII of Quora Users (including Plaintiffs) on a mass scale which purportedly spawned a criminal
`investigation.5 The only reason for a hacker to steal PII on a mass scale is with the intention of
`
`
`3 Id.
`4 Id.
`5 Quora objected to a number of discovery requests on the grounds that there was an
`“ongoing criminal investigation” but failed to provide any information regarding that
`investigation.
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`
`
`Page 3
`CONSOLIDATED AMENDED CLASS ACTION COMPLAINT
`
`
`
`
`
`
`
`Case 5:18-cv-07597-BLF Document 85 Filed 02/25/20 Page 5 of 61
`
`using that information to commit future acts of fraud and identity theft. In this instance, the motives
`of the hacker to steal data on a mass scale, combined with the amount and nature of information
`which was taken, virtually guarantees that the information compromised during the 2018 Data
`Breach will be used in future acts of cyber-fraud and identity theft. These future acts of fraud or
`identity theft could be perpetrated directly by the hackers themselves, or sold on the dark web to
`other malicious actors and combined with information stolen in other hacks and breaches to create
`increasingly complex and convincing scams. And because Quora Users are perceived as more
`sophisticated, the information obtained through the 2018 Data Breach is likely to be more valuable
`on the Dark Web than that from comparable social media sites.
`12.
`Due to Quora’s failure to disclose the results of its ongoing and (apparently)
`incomplete investigation, Quora Users have no guarantee that the above security measures will in
`fact adequately protect their personal information. As such, Plaintiffs and other Class Members
`have an ongoing interest in ensuring that their personal information is protected from past and
`future cybersecurity threats.
`13.
`The fact that it is a virtual certainty that the 2018 Data Breach will be used to
`perpetrate future acts of cyber-fraud and identity theft, combined with the fact that Quora has still
`not completed its investigation or released detailed information about the 2018 Data Breach, place
`Plaintiffs at an exceptionally high risk of future acts of identity theft.
`14.
`As a direct result and a necessary consequence of the 2018 Data Breach, Quora
`Users have suffered an ascertainable loss in that they must undertake additional security measures,
`some at their own expense, to minimize the risk of future data breaches. Such measures include,
`without limitation, canceling credit cards associated with, and changing passwords for Quora as
`well as for other networks linked to their Quora accounts, such as Facebook, Google, Twitter and
`LinkedIn. Plaintiff Connor is one such person, as she purchased enhanced credit monitoring
`specifically in response to the 2018 Data Breach.
`15.
`As a direct result and a necessary consequence of the 2018 Data Breach, Quora
`Users have suffered an ascertainable loss in that they have incurred otherwise-unnecessary out-of-
`pocket expenses, and suffered opportunity loss due to the time they have been required to spend in
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`
`
`Page 4
`CONSOLIDATED AMENDED CLASS ACTION COMPLAINT
`
`
`
`
`
`
`
`Case 5:18-cv-07597-BLF Document 85 Filed 02/25/20 Page 6 of 61
`
`attempts to mitigate the damages caused by the 2018 Data Breach.
`16.
`As a result of Defendant’s failure to maintain adequate security measures and timely
`security breach notifications, Quora Users continue to suffer an ongoing and escalating
`accumulation of damages, as the 2018 Data Breach has rendered them more susceptible to future
`data breaches, identity theft, and other kinds of online fraud.
`THE PARTIES
`Plaintiff Alexander Huynh (“Huynh”) is, and at all times mentioned herein was,
`17.
`a citizen of the State of California, residing in Piedmont, California. Plaintiff Huynh has been a
`Quora User for the last four years. Plaintiff Huynh provided Defendant with PII including his name,
`account password, and contact information (including his email address, which contains his real
`name). Through the opening and use of this account, Plaintiff Huynh entrusted Defendant with his
`PII for all relevant time periods.
`a) Plaintiff Huynh was informed and believes that his PII was compromised as a result of
`the 2018 Data Breach because he received an email from “The Quora Team” on the
`evening of December 3, 2018, stating, “information of yours may have been
`compromised,” including, among other things, his “email, IP, user ID, encrypted
`password, user account settings, [and] personalization data.” See The Quora Team
`“Subject: Quora Security Update” Email message to Alexander Huynh, sent
`December 3, 2018 at 5:16 p.m. PDT (attached hereto as Exhibit A).
`b) Further, Plaintiff Huynh’s Quora account was logged out by a party other than Plaintiff
`Huynh and, based on the email from Quora, Plaintiff Huynh understands that those
`accounts affected by the breach were logged out by Quora.
`c) Plaintiff Huynh had his Quora account linked to other online accounts, including
`Facebook and Google.
`d) As a result of the 2018 Data Breach, Plaintiff Huynh has spent valuable time monitoring
`his accounts and credit reports to check for evidence of fraud or identity theft. Plaintiff
`Huynh estimates that he spent one hour per week on the phone and/or monitoring
`accounts to check for evidence of fraud or identity theft following the 2018 Data Breach.
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`
`
`Page 5
`CONSOLIDATED AMENDED CLASS ACTION COMPLAINT
`
`
`
`
`
`
`
`Case 5:18-cv-07597-BLF Document 85 Filed 02/25/20 Page 7 of 61
`
`Plaintiff Erica Cooper (“Cooper”) is, and at all times mentioned herein was, a
`18.
`resident and citizen of New Jersey. In approximately 2014, Plaintiff Cooper opened a Quora
`account and has used it for years. Through the opening and use of this account, Plaintiff Cooper
`has entrusted Defendant with her PII for all relevant time periods.
`a) Plaintiff Cooper was informed and believes that her PII was compromised as a result of
`the 2018 Data Breach because on or around December 3, 2018 she received an email
`from “The Quora Team” stating, “information of yours may have been compromised,”
`including, among other things, her “email, IP, user ID, encrypted password, user
`account settings, [and] personalization data.” The email is identical to Exhibit A.
`b) Plaintiff Cooper had her Quora account linked to other online accounts, including
`Facebook, LinkedIn, and PayPal.
`c) Plaintiff Cooper had a credit card linked to Quora through these other online accounts.
`As a result of, and in response to notification of the 2018 Data Breach and out of concern
`for potentially fraudulent activity on that credit card, Cooper cancelled the credit card
`that was linked to Quora through the other accounts in July 2019.
`d) As a result of, and in response to notification of the 2018 Data Breach, Cooper has spent
`time, money, and effort on a near-weekly basis monitoring accounts and trying to
`ascertain and mitigate the extent of the damage done to her online accounts due to the
`breach, and the level of increased threat she now faces. She experiences significant
`stress, fear, and anxiety as a result, on a near-daily basis.
`Plaintiff Jeri Connor is, and at all times mentioned herein was, a resident and
`19.
`citizen of Colorado. Plaintiff Connor opened a Quora account in approximately 2017 and has used
`it for several years. Through the opening and use of this account, Plaintiff Connor has entrusted
`Defendant with her PII for all relevant time periods.
`a) Plaintiff Connor was informed and believes that her PII was compromised as a result of
`the 2018 Data Breach because on or around December 3, 2018 she received an email
`from “The Quora Team” stating, “information of yours may have been compromised,”
`including, among other things, her “email, IP, user ID, encrypted password, user
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`
`
`Page 6
`CONSOLIDATED AMENDED CLASS ACTION COMPLAINT
`
`
`
`
`
`
`
`Case 5:18-cv-07597-BLF Document 85 Filed 02/25/20 Page 8 of 61
`
`account settings, [and] personalization data.” The email is identical to Exhibit A.
`b) As a result of, and in response to notification of the 2018 Data Breach, Connor began
`paying $19.95 for enhanced credit monitoring from ClickFreeScore.com. Connor paid
`for these enhanced services out of pocket for approximately five months, spending
`between $40 and $100.
`c) As a result of, and in response to notification of the 2018 Data Breach, Connor has spent
`time, money, and effort on a near-weekly basis monitoring accounts and trying to
`ascertain and mitigate the extent of the damage done to her online accounts, and the
`level of increased threat she now faces. She experiences significant stress, fear, and
`anxiety as a result, on a near-daily basis.
`Plaintiff Rick Musgrave is, and at all times mentioned herein was, a citizen of
`20.
`the State of California, residing in Pacheco, California. Plaintiff Musgrave first used Quora in or
`about October 2017. As a result of using Quora’s services, Plaintiff Musgrave’s PII was stored
`by Quora and later stolen and put at risk during the 2018 Data Breach.
`a) Plaintiff Musgrave was informed and believes that his PII was compromised as a result
`of the 2018 Data Breach because he received an email from “The Quora Team” stating,
`“information of yours may have been compromised,” including, among other things,
`his “email, IP, user ID, encrypted password, user account settings, [and] personalization
`data.” The email is identical to Exhibit A.
`b) Plaintiff Musgrave had his Quora account linked to other online accounts, including
`Facebook, Google, AOL, and LinkedIn.
`c) Plaintiff Musgrave had a credit card linked to Quora through these other online
`accounts.
`d) Since the 2018 Data Breach, Plaintiff Musgrave has received notifications from Credit
`Karma that foreign third parties have tried to hack into several of his online accounts.
`e) In early January 2020, Plaintiff Musgrave learned that an unauthorized, malicious third
`party opened a Discover credit card in his name. In addition, around $7,000 was taken
`from Plaintiff Musgrave’s bank account without his permission from a malicious third
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`
`
`Page 7
`CONSOLIDATED AMENDED CLASS ACTION COMPLAINT
`
`
`
`
`
`
`
`Case 5:18-cv-07597-BLF Document 85 Filed 02/25/20 Page 9 of 61
`
`party. Plaintiff Musgrave promptly filed a police report as a result.
`f) As a result of the 2018 Data Breach, Plaintiff Musgrave has spent valuable time
`monitoring his accounts and credit reports to check for evidence of fraud or identity
`theft, which he actually experienced. Plaintiff Musgrave estimates that he spent one
`hour per week following the 2018 Data Breach monitoring accounts to check for
`evidence of fraud or identity theft. Once Plaintiff Musgrave learned that an unidentified
`third party opened a credit card in his name, and after money was stolen from his bank
`account, he estimates that he spent an additional 40 hours to remedy the issue. As a
`result of the 2018 Data Breach, Plaintiff Musgrave is still trying to mitigate the very
`real damage done to his online accounts, and the level of threat he now faces.
`21.
`The 2018 Data Breach and disclosure of the PII has immediately, directly and
`substantially increased Plaintiffs’ risk of identity theft. Indeed, the compromise of information
`such as victims’ names, birth dates, email addresses, passwords, and other identifying
`information alone creates a material risk of identity theft. That level of risk is exponentially
`increased when, as here, it is bundled together with the individualized content that Plaintiffs
`provided to Quora.
`22.
`The information taken is immutable and valuable to hackers, providing “further
`ammunition” to perpetrate future acts of online fraud. Plaintiffs have also suffered a loss of
`privacy and nuisance, and must now expend additional time and money mitigating the threat of
`identity theft, which would not be necessary but for the 2018 Data Breach.
`23.
`Defendant Quora, Inc. is a corporation organized and in existence under the laws of
`the State of Delaware and registered to do business in the State of California. Quora’s corporate
`headquarters are located at 650 Castro Street, Suite 450, Mountain View, California 94041.
`24.
`At all relevant times, Defendant was and is engaged in the business of operating a
`social networking website and mobile application in Santa Clara County and throughout the United
`States of America. Additionally, Quora sells contextual advertising relevant to question topics and
`user interests.
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`
`
`Page 8
`CONSOLIDATED AMENDED CLASS ACTION COMPLAINT
`
`
`
`
`
`
`
`Case 5:18-cv-07597-BLF Document 85 Filed 02/25/20 Page 10 of 61
`
`JURISDICTION
`25.
`This Court has subject matter jurisdiction over this matter pursuant to 28 U.S.C. §§
`1331 and 1337, as well as jurisdiction over the state law claims pursuant to 28 U.S.C. §§ 1332(d)
`and 1367 because this action arises under the Constitution or laws of the United States and the
`Class Action Fairness Act, in that, as to each Class defined herein:
`a)
`the matter in controversy exceeds $5,000,000.00, exclusive of interest and costs;
`b)
`this is a class action involving 100 or more class members; and
`c)
`this is a class action in which at least one member of the Plaintiff class is a citizen
`of a state different from at least one Defendant.
`26.
`The Court has personal jurisdiction over Defendant, which has at least minimum
`contacts with the State of California because its headquarters are located there, it has conducted
`business there, and it has availed itself of California’s markets through its social networking
`websites and mobile applications.
`
`VENUE
`27.
`Venue is proper in this District pursuant to 28 U.S.C. §§ 1391(b), (c), and (d)
`because a substantial part of the events giving rise to Plaintiffs’ claims occurred in this District.
`28.
`Quora, through its online Q&A platform, has established sufficient contacts in this
`District such that personal jurisdiction is appropriate. Defendant is deemed to reside in this District
`pursuant to 28 U.S.C. § 1391(a).
`29.
`In addition, Defendant is headquartered in Mountain View, California, has
`conducted business in this District, and has availed itself of California’s markets through its
`marketing and operations of its social networking websites and mobile applications. Venue is
`proper in this Court pursuant to 28 U.S.C. § 1391(a).
`30.
`Finally, venue is proper in this District because Defendant’s Terms of Service
`(attached hereto as Exhibit B), which all Users agree to when creating an account on Quora.com,
`identifies this Court as the proper venue and California law as the proper law for any claims
`arising between Defendant and its Users.
`
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`
`
`Page 9
`CONSOLIDATED AMENDED CLASS ACTION COMPLAINT
`
`
`
`
`
`
`
`Case 5:18-cv-07597-BLF Document 85 Filed 02/25/20 Page 11 of 61
`
`FACTUAL ALLEGATIONS
`31.
`Quora created and operates a user-based Q&A platform through its website and
`mobile application that facilitate private and public communications, including messages, posts,
`and photographs, from and between its Users, as well as providing access to certain account
`information to third-party applications. Quora purports to allow its Users the ability to share and
`restrict information based on their own specific criteria. In September 2018, Quora reported having
`more than 300 million active users.6
`32.
`Quora requires its Users to provide PII upon creating an account via Defendant’s
`website or mobile phone application, and Users expect Defendant to maintain strict confidentiality
`of the PII in Quora’s possession. Throughout the course of its business, Quora has collected and
`maintained an extensive amount of its Users’ personal information including, without limitation,
`Users’ names, email addresses, other contact information, encrypted passwords, private messages,
`photographs, and data imported from linked networks. Quora Users provide this personal
`information to Quora in reliance on Defendant’s assurances as to the protection and security of its
`Users’ PII.
`33.
`However, Defendant failed, and continues to fail, to provide adequate protection of
`its Users’ personal and confidential information and has egregiously failed to provide sufficient
`and timely notice or warning of potential and actual cybersecurity breaches to its Users.
`34.
`At all relevant times, Quora has made assurances to its Users that its Users’ privacy
`and security is of utmost importance to Quora, and its Users have relied on those assurances in
`providing Quora with their PII. Quora’s Privacy Policy is attached hereto as Exhibit C. In fact,
`Quora’s Privacy Policy states, “The security of your information is important to us. Quora has
`implemented safeguards to protect the information we collect.” See Exhibit C. Additionally, the
`Privacy Policy provides that Quora will only share Users’ personal information in specified
`scenarios: 1) With Quora’s service providers who use the information to provide services to it; 2)
`With affiliates and subsidiaries of Quora; 3) Metrics and aggregated data with third-party
`
`6 See Josh Constine, Q&A app Quora valued around $1.8 billion in $85 million fundraise,
`Techcrunch, Apr. 21, 2017, https://techcrunch.com/2017/04/21/uniquorn/.
`Page 10
`CONSOLIDATED AMENDED CLASS ACTION COMPLAINT
`
`
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`
`
`
`
`
`
`Case 5:18-cv-07597-BLF Document 85 Filed 02/25/20 Page 12 of 61
`
`advertisers or researchers; 4) During business transfers of ownership (i.e., merger, sale, etc.); 5)
`When Quora is required by law to do so; and, 6) “[W]here individuals have otherwise consented.”
`Clearly, Quora has failed to provide the security consistently promised to its Users and the 2018
`Data Breach does not fall within any of the specified scenarios for release of Users’ information
`discussed in Quora’s privacy policy. Id.
`35.
`The types of information compromised in the 2018 Data Breach are highly valuable
`to identity thieves because the information includes data which is immutable in nature. The names,
`email addresses, passwords, security question answers, and other valuable PII can all be used to
`gain access to a variety of existing accounts and websites.
`36.
`Despite these assurances, Quora revealed that its Users’ PII was subject to a massive
`data security breach on December 3, 2018, publicly exposing details of the 2018 Data Breach for
`the first time. According to the statement, Defendant learned of the 2018 Data Breach as early as
`November 30, 2018,7 but has not yet directly informed or notified all Quora Users that their PII
`may have been compromised as a result of the breach. Rather, Quora has stated that it began
`“logging out all Quora users” who may have been affected and invalidating their passwords. This
`action was taken without providing Quora Users with any reason for being logged out and not being
`able to log back in, and Quora is still “in the process of notifying users whose data has been
`compromised.”8
`37.
`Defendant directly acknowledged its duty to safeguard Quora Users’ PII. In its
`December 3, 2018 blog post announcing the 2018 Data Breach, Quora CEO Adam D’Angelo
`declared that “[i]t is our responsibility to make sure things like this don’t happen, and we failed
`to meet that responsibility. We recognize that in order to maintain user trust, we need to work very
`hard to make sure this does not happen again. There’s little hope of sharing and growing the world’s
`knowledge if those doing so cannot feel safe and secure, and cannot trust that their information will
`
`
`7 Quora Security Update, supra fn. 2.
`8 Id.
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`
`
`Page 11
`CONSOLIDATED AMENDED CLASS ACTION COMPLAINT
`
`
`
`
`
`
`
`Case 5:18-cv-07597-BLF Document 85 Filed 02/25/20 Page 13 of 61
`
`remain private.”9 Addressing the 2018 Data Breach, Leigh-Anne Galloway, the cybersecurity
`resilience lead at Positive Technologies, stated that “the data sets that have been exposed here are
`huge” and are not just the usual user credential leakage, but “also their social network accounts
`and potentially their private personal information that was posted on Quora.”10 In response to the
`2018 Data Breach, Galloway recommended that all organizations should prepare for the worst and
`get ready to deal with an almost inevitable breach.11
`38.
`In 2017, Quora was valued at approximately $1.8 billion.12 Although Quora started
`out with no revenue source and relied entirely on venture capital, in 2016, it introduced
`advertisements to its platform to begin generating revenue.13 In 2017, Quora doubled its
`advertisement sales team, with Puja Ramani, head of business marketing at Quora explaining that
`“[t]his is how we’re going to monetize. We’ve been really happy with the results so far and have
`doubled the ads team. We’re going to be investing a lot in this area of the business.”14 A study in
`2019 found that Quora may generate as much as $112 million in revenue through advertisements
`in 2018 alone.15
`39.
`Quora’s advertisement revenue is dependent on the engagement of Users, including
`Defendant’s ability to collect personal information about its Users. Thus, when Users signed up to
`join Quora, they were entering into a transaction – a value-for-value exchange – in which they
`agreed to provide content and PII that Defendant could use, subject to the Users’ privacy
`
`9 Id. (emphasis added).
`10 Davey Winder, Quora Hacked: What Happened, What Data Was Stolen And What Do
`Next?,
`Forbes,
`Dec.
`4,
`2018,
`100 Million
`Users
`Need
`To
`Do
`https://www.forbes.com/sites/daveywinder/2018/12/04/quora-hacked-what-happened-what-
`data-was-stolen-and-what-do-100-million-users-need-to-do-next/#66a05b324f44
`(emphasis
`added).
`11 Id.
`12 Trefis Team, With A Strong Monetization Platform, How Much Can Quora Be Worth?,
`Forbes, June 25, 2018, https://www.forbes.com/sites/greatspeculations/2018/06/25/with-a-
`strong-monetization-platform-how-much-can-quora-be-worth/#5bb9e18f3180.
`13 Marketing Land, supra fn 1.
`14 Id.
`15 Id.
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`
`
`Page 12
`CONSOLIDATED AMENDED CLASS ACTION COMPLAINT
`
`
`
`
`
`
`
`Case 5:18-cv-07597-BLF Document 85 Filed 02/25/20 Page 14 of 61
`
`restrictions. Because exclusive access to such content and information confers a competitive
`advantage, there is a “first user” value to the content and information. That value has now been lost
`due to the 2018 Data Breach.
`40.
`One study found that the average consumer in the U.S. can make $240 per year
`monetizing his or her personal data for digital advertising.16 Another study in 2018 fou