`
`UNITED STATES DISTRICT COURT
`NORTHERN DISTRICT OF ILLINOIS
`
`
`
`JORGE NEWBERY and HOLLY
`RINGLING, individually and on behalf of
`all others similarly situated,
`
` Plaintiffs,
`
`
`v.
`
`
`
`SAMSUNG ELECTRONICS
`AMERICA, INC.,
`
`
`Defendant.
`
`
`
`
`
`
`
`
`
`Case No. 1:22-cv-5325
`
`
`
`
`DEMAND FOR JURY TRIAL
`
`
`CLASS ACTION COMPLAINT
`
`Plaintiffs JORGE NEWBERY and HOLLY RINGLING (“Plaintiffs”), individually and on
`
`behalf of all others similarly situated, through their attorneys, bring this action against Defendant
`
`SAMSUNG ELECTRONICS AMERICA, INC (“Defendant” or “Samsung”), and allege upon
`
`personal knowledge as to their own actions and experiences, and upon investigation, information,
`
`and belief as to all other matters, as follows:
`
`INTRODUCTION
`
`1.
`
`This consumer data breach lawsuit arises out of Defendant’s failure to implement
`
`and maintain adequate security and safeguards with respect to its collection and maintenance of
`
`highly sensitive and confidential personal information of its customers, including name, contact
`
`and demographic information, date of birth, and product registration information. Defendant’s
`
`insufficient and unreasonable data security practices caused, facilitated, and exacerbated the data
`
`breach and its impact on Plaintiffs and Class members.
`
`
`
`Case: 1:22-cv-05325 Document #: 1 Filed: 09/29/22 Page 2 of 30 PageID #:2
`
`2.
`
`Samsung is a leader in the global market for high-tech computers and electronics
`
`manufacturing and digital media.
`
`3.
`
`By Defendant’s own admission, in late July 2022, an unauthorized third party
`
`acquired information from some of Samsung’s U.S. systems (the “Data Breach”). According to
`
`Defendant, on or around August 4, 2022, Defendant determined through its ongoing investigation
`
`that personal information of its customers was affected. Although Defendant identified the incident
`
`as early as August 4, 2022, Defendant did not warn those most at risk––Plaintiffs and Class
`
`members, until September 2, 2022.
`
`4.
`
`The Data Breach exposed Plaintiffs’ and Class members’ personally identifiable
`
`information to criminals, including, but not limited to, name, contact and demographic
`
`information, date of birth, and product registration information (“PII”).
`
`5.
`
`The PII that unauthorized persons accessed on Defendant’s systems can be used by
`
`criminals alone, and in conjunction with other pieces of information, to perpetrate crimes against
`
`Plaintiffs and Class members that can result in significant liability and damage to their money,
`
`property, creditworthiness, reputation, and their ability to pay current loans, improve their credit,
`
`and/or obtain loans on favorable terms in the future.
`
`6.
`
`Plaintiffs and Class members entrusted Defendant with their sensitive PII.
`
`Defendant understands the importance of protecting such information. For example, on its website,
`
`Defendant states “How We Protect Personal Information” and explains “We maintain safeguards
`
`designed to protect personal information we obtain through the Services.”1
`
`7.
`
`Defendant’s representations concerning privacy practices and data security were
`
`false. Defendant does not state the date that it began investigating the incident, only that on or
`
`
`1 See https://www.samsung.com/us/account/privacy-policy/ (last visited Sept. 21, 2022).
`
`2
`
`
`
`
`Case: 1:22-cv-05325 Document #: 1 Filed: 09/29/22 Page 3 of 30 PageID #:3
`
`around August 4, 2022, Defendant determined that its customers’ information was acquired in the
`
`Data Breach that occurred in late July 2022. Criminals breached Defendant’s inadequately
`
`defended systems, and accessed and acquired electronic files containing the PII of Plaintiffs and
`
`Class members. The criminals gained unauthorized access by thwarting, circumventing, and
`
`defeating Defendant’s unreasonably deficient data security measures and protocols. Defendant did
`
`not start notifying Plaintiffs and other Class members of the Data Breach until on or around
`
`September 2, 2022.
`
`8.
`
`Plaintiffs, individually, and on behalf of all persons similarly situated, seek to be
`
`made whole for the losses incurred by Plaintiffs and other victims of the Data Breach, and the
`
`losses that will be incurred in the future. Plaintiffs also seek injunctive relief in the form of
`
`compliant data security practices, full disclosure regarding the disposition of the information in
`
`Defendant’s systems, and monitoring and audits of Defendant’s security practices going forward
`
`because Defendant continues to collect, maintain, and store Plaintiffs’ and Class members’ PII.
`
`PARTIES, JURISDICTION, AND VENUE
`
`9.
`
`Plaintiff Jorge Newbery resides in Barrington, Illinois and is a citizen of Illinois.
`
`10.
`
`Plaintiff Holly Ringling resides in San Antonio, Texas and is a citizen of Texas.
`
`11.
`
`Defendant is a New York corporation with its principal place of business in
`
`Ridgefield Park, New Jersey.
`
`12.
`
`The Court has original jurisdiction under the Class Action Fairness Act (“CAFA”),
`
`28 U.S.C. § 1332(d)(2), because this is a Class action involving 100 or more Class members and
`
`the amount in controversy exceeds $5,000,000, exclusive of interest and costs. Many members of
`
`the Class, including Plaintiffs, are citizens of different states from Defendant.
`
`3
`
`
`
`
`Case: 1:22-cv-05325 Document #: 1 Filed: 09/29/22 Page 4 of 30 PageID #:4
`
`13.
`
`Venue is proper in this District under 28 U.S.C. §§ 1391(a)(2), 1391(b)(2), and
`
`1391(c)(2), as a substantial part of the events giving rise to the claims emanated from activities
`
`within this District, and Defendant conducts substantial business in this District.
`
`GENERAL ALLEGATIONS
`
`The Data Breach
`
`14.
`
`On or about September 2, 2022, Defendants provided notice to Plaintiffs and Class
`
`members (“Data Breach Notice”) via email and posted an “Important Notice Regarding Customer
`
`Information” on its website.2 In the Data Breach Notice, Defendant states that in late July 2022,
`
`an unauthorized third party acquired information from some of Samsung’s U.S. systems that
`
`contain the personal information of Plaintiffs and Class members. A true and correct copy of the
`
`Data Breach Notice sent to each Plaintiff is attached as Exhibit 1.
`
`15.
`
`The Data Breach Notice states that personal information pertaining to Plaintiffs and
`
`Class members was acquired by an unauthorized person in the Data Breach.
`
`16.
`
`Defendant states that Plaintiffs’ and Class members’ information acquired in the
`
`Data Breach includes customer name, contact and demographic information, date of birth, and
`
`product registration information. See Exhibit 1.
`
`17.
`
`Since discovering the Data Breach, Defendant states that “We have taken actions
`
`to secure the affected systems” and that “By working with industry - leading experts, we will
`
`further enhance the security of our systems - and your personal information.” See Exhibit 1. These
`
`are actions that should have been employed in the first place and they would have prevented or
`
`limited the impact of the Data Breach.
`
`
`2 See https://www.samsung.com/us/support/securityresponsecenter/ (last visited Sept. 21, 2022).
`
`4
`
`
`
`
`Case: 1:22-cv-05325 Document #: 1 Filed: 09/29/22 Page 5 of 30 PageID #:5
`
`18.
`
`Defendant does not state when the Data Breach was first detected. See Exhibit 1.
`
`Defendant states that on or around August 4, 2022, Defendant determined through its “ongoing
`
`investigation that personal information of certain customers was affected.” Id. Defendant did not
`
`publicly announced the Data Breach or notify those whose PII was accessed by criminals in the
`
`Data Breach at that time.
`
`19.
`
`On or around September 2, 2022—almost a month after learning that its customers’
`
`information was acquired by criminals in the Data Breach—Defendant sent Data Breach Notices
`
`to Plaintiffs and other persons whose PII was accessed by the criminals.
`
`20.
`
`In the Data Breach Notice, Defendant provided information to Plaintiffs and Class
`
`members about additional steps they can take to help protect themselves. Defendant provided the
`
`contact information of the three credit bureaus that Plaintiffs and Class members could contact to
`
`obtain a credit report to help them detect possible misuse of PII. See Exhibit 1.
`
`21.
`
`Additionally, Defendant provides FAQs on its website and recommends that
`
`Plaintiffs and Class members (a) remain cautious of any unsolicited communications that ask for
`
`your personal information or refer you to a web page asking for personal information; (b) avoid
`
`clicking on links or downloading attachments from suspicious emails; and (c) review your
`
`accounts for suspicious activity. 3
`
`22.
`
`As a result of the Data Breach, Plaintiffs and Class members have been and must
`
`continue to be vigilant and review their credit reports for incidents of identity theft or fraud, and
`
`educate themselves about security freezes, fraud alerts, and other steps to protect themselves
`
`against identity theft.
`
`
`
`
`3 See https://www.samsung.com/us/support/securityresponsecenter/ (last visited Sept. 21, 2022).
`
`5
`
`
`
`
`Case: 1:22-cv-05325 Document #: 1 Filed: 09/29/22 Page 6 of 30 PageID #:6
`
`Industry Standards for Data Security
`
`23.
`
`Defendant is aware of the importance of safeguarding Plaintiffs’ and Class
`
`members’ PII, that by virtue of its business it places Plaintiffs’ and Class members’ PII at risk of
`
`being targeted by hackers.
`
`24.
`
`Defendant is aware that the PII that it collects, organizes, and stores, can be used
`
`by criminals to engage in crimes such as identity fraud and theft using Plaintiffs’ and Class
`
`members’ PII.
`
`25.
`
`Because of Defendant’s failure to implement, maintain, and comply with necessary
`
`cybersecurity requirements, Defendant was unable to protect Plaintiffs’ and Class members’
`
`information and confidentiality, and protect against obvious and readily foreseeable threats to
`
`information security and confidentiality. As a proximate result of such failures, criminals gained
`
`unauthorized access to Defendant’s U.S. systems, and acquired Plaintiffs’ and Class members’ PII
`
`in the Data Breach without being stopped.
`
`26.
`
`Only after the attack was completed did Defendant begin to undertake basic steps
`
`recognized in the industry to protect Plaintiffs’ and Class members’ PII.
`
`27.
`
`Defendant was unable to prevent the Data Breach, and was unable to detect the
`
`unauthorized access to vast quantities of sensitive and protected files containing protected
`
`information of Plaintiffs and Class members. Discovery on Defendant, law enforcement
`
`investigators, and private investigators, will reveal more specific facts about Defendant’s deficient
`
`and unreasonable security procedures.
`
`28.
`
`Security standards commonly accepted among businesses that store personal
`
`information using the Internet include, without limitation:
`
`a)
`
`Maintaining a secure firewall configuration;
`
`6
`
`
`
`
`Case: 1:22-cv-05325 Document #: 1 Filed: 09/29/22 Page 7 of 30 PageID #:7
`
`b)
`
`c)
`
`d)
`
`e)
`
`f)
`
`g)
`
`h)
`
`i)
`
`Monitoring for suspicious or irregular traffic to servers;
`
`Monitoring for suspicious credentials used to access servers;
`
`Monitoring for suspicious or irregular activity by known users;
`
`Monitoring for suspicious or unknown users;
`
`Monitoring for suspicious or irregular server requests;
`
`Monitoring for server requests for personal information;
`
`Monitoring for server requests from VPNs; and
`
`Monitoring for server requests from Tor exit nodes.
`
`29.
`
`The U.S. Federal Trade Commission (“FTC”) publishes guides for businesses for
`
`cybersecurity4 and protection of personal information5 which includes basic security standards
`
`applicable to all types of businesses.
`
`30.
`
`The FTC recommends that businesses:
`
`a)
`
`b)
`
`c)
`
`d)
`
`Identify all connections to the computers where you store sensitive
`information;
`
`Assess the vulnerability of each connection to commonly known or
`reasonably foreseeable attacks;
`
`Do not store sensitive consumer data on any computer with an internet
`connection unless it is essential for conducting their business;
`
`Scan computers on their network to identify and profile the operating
`system and open network services. If services are not needed, they should
`be disabled to prevent hacks or other potential security problems. For
`example, if email service or an internet connection is not necessary on a
`certain computer, a business should consider closing the ports to those
`services on that computer to prevent unauthorized access to that machine;
`
`
`
`
`
`
`
`
`4 See F.T.C., Start with Security: A Guide for Business, (June 2015), https://www.ftc.gov/business-
`guidance/resources/start-security-guide-business (last accessed Sept. 20, 2022).
`5 See F.T.C., Protecting Personal Information: A Guide
`for Business, (Oct. 2016),
`https://www.ftc.gov/system/files/documents/plain-language/pdf-0136_proteting-personal-
`information.pdf (last accessed Sept. 20, 2022).
`
`7
`
`
`
`
`Case: 1:22-cv-05325 Document #: 1 Filed: 09/29/22 Page 8 of 30 PageID #:8
`
`e)
`
`f)
`
`g)
`
`h)
`
`i)
`
`Pay particular attention to the security of their web applications—the
`software used to give information to visitors to their websites and to retrieve
`information from them. Web applications may be particularly vulnerable to
`a variety of hack attacks;
`
`Use a firewall to protect their computers from hacker attacks while it is
`connected to a network, especially the internet;
`
`Determine whether a border firewall should be installed where the
`business’s network connects to the internet. A border firewall separates the
`network from the internet and may prevent an attacker from gaining access
`to a computer on the network where sensitive information is stored. Set
`access controls—settings that determine which devices and traffic get
`through the firewall—to allow only trusted devices with a legitimate
`business need to access the network. Since the protection a firewall provides
`is only as effective as its access controls, they should be reviewed
`periodically;
`
`Monitor incoming traffic for signs that someone is trying to hack in. Keep
`an eye out for activity from new users, multiple log-in attempts from
`unknown users or computers, and higher-than-average traffic at unusual
`times of the day; and
`
`Monitor outgoing traffic for signs of a data breach. Watch for unexpectedly
`large amounts of data being transmitted from their system to an unknown
`user. If large amounts of information are being transmitted from a business’
`network, the transmission should be investigated to make sure it is
`authorized.
`
`
`
`
`
`
`
`
`
`
`
`31.
`
`The FTC has brought enforcement actions against businesses for failing to
`
`adequately and reasonably protect customer information, treating the failure to employ reasonable
`
`and appropriate measures to protect against unauthorized access to confidential consumer data as
`
`an unfair act or practice prohibited by Section 5 of the Federal Trade Commission Act (“FTC
`
`Act”), 15 U.S.C. § 45. Orders resulting from these actions further clarify the measures businesses
`
`must take to meet their data security obligations.6
`
`
`6 F.T.C., Privacy and Security Enforcement: Press Releases, https://www.ftc.gov/news-events/
`media-resources/protecting-consumer-privacy/privacy-security-enforcement (last accessed Sept.
`20, 2022).
`
`8
`
`
`
`
`Case: 1:22-cv-05325 Document #: 1 Filed: 09/29/22 Page 9 of 30 PageID #:9
`
`32.
`
`Because Defendant was entrusted with consumers’ PII, it had and has a duty to keep
`
`the PII secure.
`
`33.
`
`Plaintiffs and Class members reasonably expect that when they provide their PII to
`
`a company, the company will safeguard their PII.
`
`34.
`
`Despite Defendant’s obligations, Defendant failed to upgrade and maintain its data
`
`security systems in a meaningful way so as to prevent the Data Breach.
`
`35.
`
`Specifically, in breach of its duties, Defendant failed to:
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`a)
`
`b)
`
`c)
`
`d)
`
`e)
`
`f)
`
`g)
`
`h)
`
`i)
`
`j)
`
`k)
`
`l)
`
`m)
`
`Replace email filtering tools, malware software, and Internet monitoring
`tools with more robust solutions that utilize artificial intelligence (“AI”) to
`detect and block known and newly introduced malware;
`
`Block all inbound and outbound Internet, email, and network traffic to
`foreign countries;
`
`Maintain a secure firewall configuration;
`
`Monitor for suspicious or irregular traffic to servers;
`
`Monitor for suspicious credentials used to access servers;
`
`Monitor for suspicious or irregular activity by known users;
`
`Monitor for suspicious or unknown users;
`
`Monitor for suspicious or irregular server requests;
`
`Monitor for server requests for personal information;
`
`Monitor for server requests from VPNs;
`
`Monitor for server requests from Tor exit nodes;
`
`Identify all connections to the computers where Defendant stores sensitive
`information;
`
`Assess the vulnerability of each connection to commonly known or
`reasonably foreseeable attacks;
`
`
`9
`
`
`
`
`Case: 1:22-cv-05325 Document #: 1 Filed: 09/29/22 Page 10 of 30 PageID #:10
`
`n)
`
`o)
`
`p)
`
`q)
`
`r)
`
`s)
`
`t)
`
`Scan computers on Defendant’s network to identify and profile the
`operating system and open network services, and disable services that are
`not needed to prevent hacks or other potential security problems;
`
`Pay particular attention to the security of Defendant’s web applications—
`the software used to give information to visitors to its websites and to
`retrieve information from them;
`
`Use a firewall to protect Defendant’s computers from hacker attacks while
`they are connected to a network, especially the Internet;
`
`Not store sensitive consumer data on any computer with an internet
`connection unless it is essential for conducting its business;
`
`Determine whether a border firewall should be installed where the
`business’s network connects to the internet. A border firewall separates the
`network from the internet and may prevent an attacker from gaining access
`to a computer on the network where sensitive information is stored. Set
`access controls—settings that determine which devices and traffic get
`through the firewall—to allow only trusted devices with a legitimate
`business need to access the network. Since the protection a firewall provides
`is only as effective as its access controls, they should be reviewed
`periodically;
`
`Monitor incoming traffic for signs that someone is trying to hack in. Keep
`an eye out for activity from new users, multiple log-in attempts from
`unknown users or computers, and higher-than-average traffic at unusual
`times of the day; and
`
`Monitor outgoing traffic for signs of a data breach. Watch for unexpectedly
`large amounts of data being transmitted from their system to an unknown
`user. If large amounts of information are being transmitted from a business’
`network, the transmission should be investigated to make sure it is
`authorized.
`
`
`
`36.
`
`Had Defendant properly maintained its systems and adequately protected them,
`
`Defendant could have prevented the Data Breach.
`
`Defendant Owed Duties to Plaintiffs and Class Members
`to Adequately Secure and Safeguard Their PII
`
`
`37.
`
`Defendant is aware of the importance of security in maintaining personal
`
`information (particularly sensitive personal information), and the value consumers place on
`
`keeping their PII secure.
`
`10
`
`
`
`
`Case: 1:22-cv-05325 Document #: 1 Filed: 09/29/22 Page 11 of 30 PageID #:11
`
`38.
`
`Defendant owes duties to Plaintiffs and the Class members to maintain adequate
`
`security and safeguards to protect the confidentiality of their PII.
`
`39.
`
`Defendant owes a further duty to its customers to immediately and accurately notify
`
`them of a breach of its systems to protect them from identity theft and other misuse of their personal
`
`data and to take adequate measures to prevent further breaches.
`
`The Categories of PII at Issue Here Are Valuable to Criminals
`
`40.
`
`Businesses that solicit, aggregate, and store sensitive PII are likely to be targeted
`
`by cyber criminals.
`
`41.
`
`The FTC has released its updated publication on protecting PII for businesses,
`
`which includes instructions on protecting PII, properly disposing of PII, understanding network
`
`vulnerabilities, implementing policies to correct security problems, using intrusion detection
`
`programs, monitoring data traffic, and having in place a response plan.
`
`42.
`
`The FTC has, upon information and belief, brought enforcement actions against
`
`businesses for failing to protect PII. The FTC has done this by treating a failure to employ
`
`reasonable measures to protect against unauthorized access to PII as a violation of the FTC Act,
`
`15 U.S.C. § 45.
`
`43.
`
`General policy reasons support such an approach. A person whose personal
`
`information has been compromised may not see any signs of identity theft for years. According to
`
`a U.S. Government Accountability Office report:
`
`[L]aw enforcement officials told us that in some cases, stolen data may be
`held for up to a year or more before being used to commit identity theft.
`Further, once stolen data have been sold or posted on the Web, fraudulent
`use of that information may continue for years. As a result, studies that
`attempt to measure the harm resulting from data breaches cannot necessarily
`rule out all future harm.7
`
`
`7 See https://www.gao.gov/assets/gao-07-737.pdf at 29 (last visited Sept. 20, 2022).
`
`11
`
`
`
`
`Case: 1:22-cv-05325 Document #: 1 Filed: 09/29/22 Page 12 of 30 PageID #:12
`
`44.
`
`Companies recognize that PII is a valuable asset. Indeed, PII is a valuable
`
`commodity. A “cyber black-market” exists in which criminals openly post PII on a number of
`
`Internet websites. Plaintiffs’ and Class members’ personal data that was stolen has a high value on
`
`both legitimate and black markets.
`
`45.
`
`At an FTC public workshop in 2001, then-Commissioner Orson Swindle described
`
`the value of a consumer’s personal information as follows:
`
`The use of third party information from public records, information
`aggregators and even competitors for marketing has become a major
`facilitator of our retail economy. Even [Federal Reserve] Chairman [Alan]
`Greenspan suggested here some time ago that it’s something on the order of
`the life blood, the free flow of information.8
`
`46.
`
`Individuals rightfully place a high value not only on their PII, but also on the
`
`privacy of that data. Researchers have already begun to shed light on how much individuals value
`
`their data privacy—and the amount is considerable.
`
`47.
`
`Notably, one study on website privacy determined that U.S. consumers valued the
`
`restriction of improper access to their personal information—the very injury at issue here—
`
`between $11.33 and $16.58 per website. 9 The study also determined that “[a]mong U.S. subjects,
`
`protection against errors, improper access, and secondary use of personal information is worth
`
`US$30.49 – 44.62.”10 This study was done in 2002. The sea-change in how pervasive the Internet
`
`is in everyday lives since then indicates that these values—when associated with the loss of PII to
`
`bad actors—would be exponentially higher today.
`
`
`8 FEDERAL TRADE COMMISSION, The Information Marketplace: Merging and Exchanging
`Consumer Data,
`transcript, p. 8, available at http://www.ftc.gov/news-events/events-
`calendar/2001/03/information-marketplace-merging-exchanging-consumer-data (last visited Sept.
`20. 2022).
`9 Hann, Hui, et al, The Value of Online Information Privacy: Evidence from the USA and
`Singapore, at p. 17. Oct. 2002, available at https://www.comp.nus. edu.sg/~ipng/research/privacy.
`pdf (last visited Sept. 20. 2022).
`10 Id.
`
`12
`
`
`
`
`Case: 1:22-cv-05325 Document #: 1 Filed: 09/29/22 Page 13 of 30 PageID #:13
`
`48.
`
`Identity thieves may commit various types of crimes such as immigration fraud,
`
`obtaining a driver’s license or identification card in the victim’s name but with another’s picture,
`
`and/or using the victim’s information to obtain a fraudulent tax refund or fraudulent unemployment
`
`benefits. The United States government and privacy experts acknowledge that it may take years
`
`for identity theft to come to light and be detected.
`
`49.
`
`To date, Defendant has not offered Plaintiffs and Class members any compensation
`
`or relief as a result of the Data Breach.
`
`50.
`
`The information Defendant allowed to be compromised and taken is of such that
`
`the harms to Plaintiffs and the Class will continue to grow, and Plaintiffs and Class members will
`
`continue to be at substantial risk for further imminent and future harm.
`
`Damages from Data Breaches
`
`51.
`
`According to Javelin Strategy & Research, in 2017 alone over 16.7 million
`
`individuals were affected by identity theft, causing $16.8 billion to be stolen.
`
`52.
`
`Consumers place a high value not only on their personal information, but also on
`
`the privacy of that data. This is because identity theft causes “significant negative financial impact
`
`on victims” as well as severe distress and other strong emotions and physical reactions.
`
`53.
`
`The United States Government Accountability Office explains that “[t]he term
`
`‘identity theft’ is broad and encompasses many types of criminal activities, including fraud on
`
`existing accounts—such as unauthorized use of a stolen credit card number—or fraudulent
`
`creation of new accounts—such as using stolen data to open a credit card account in someone
`
`else’s name.” See In re Zappos.com, Inc., 888 F.3d 1020, 1024 (9th Cir. 2018). The GAO Report
`
`notes that victims of identity theft will face “substantial costs and time to repair the damage to
`
`their good name and credit record.”
`
`13
`
`
`
`
`Case: 1:22-cv-05325 Document #: 1 Filed: 09/29/22 Page 14 of 30 PageID #:14
`
`54.
`
`The FTC recommends that identity theft victims take several steps to protect their
`
`personal information after a data breach, including contacting one of the credit bureaus to place a
`
`fraud alert (consider an extended fraud alert that lasts for 7 years if someone steals their identity),
`
`reviewing their credit reports often, contacting companies to remove fraudulent charges from their
`
`accounts, placing a credit freeze on their credit, and correcting their credit reports.
`
`55.
`
`Identity thieves use stolen personal information for “various types of criminal
`
`activities, such as when personal and financial is used to commit fraud or other crimes,” including
`
`“credit card fraud, phone or utilities fraud, bank fraud and government fraud.” In re Zappos.com,
`
`Inc., 888 F.3d at 1024. The information exfiltrated in the Data Breach can also be used to commit
`
`identity theft by placing Plaintiffs and Class members at a higher risk of “phishing,” “vishing,”
`
`“smishing,” and “pharming,” which are which are ways for hackers to exploit information they
`
`already have to get even more personally identifying information through unsolicited email, text
`
`messages, and telephone calls purportedly from a legitimate company requesting personal,
`
`financial, and/or login credentials.
`
`56.
`
`There may be a time lag between when harm occurs versus when it is discovered,
`
`and also between when personal information is stolen and when it is used. According to the U.S.
`
`Government Accountability Office, which conducted a study regarding data breaches:
`
`[L]aw enforcement officials told us that in some cases, stolen data may be
`held for up to a year or more before being used to commit identity theft.
`Further, once stolen data have been sold or posted on the Web, fraudulent
`use of that information may continue for years. As a result, studies that
`attempt to measure the harm resulting from data breaches cannot necessarily
`rule out all future harm.
`
`
`
`
`
`See GAO Report, at p. 29.
`
`57.
`
`Personal information is such a valuable commodity to identity thieves that once the
`
`information has been compromised, criminals often trade the information on the “cyber
`
`14
`
`
`
`
`Case: 1:22-cv-05325 Document #: 1 Filed: 09/29/22 Page 15 of 30 PageID #:15
`
`blackmarket” for years.
`
`58.
`
`Thus, there is a strong probability that entire batches of stolen information have
`
`been dumped on the black market, or are yet to be dumped on the black market, meaning Plaintiffs
`
`and Class members are at an increased risk of fraud and identity theft for many years into the
`
`future.
`
`59.
`
`Data breaches are preventable. As Lucy Thompson wrote in the DATA BREACH
`
`AND ENCRYPTION HANDBOOK, “In almost all cases, the data breaches that occurred could
`
`have been prevented by proper planning and the correct design and implementation of appropriate
`
`security solutions.” She added that “[o]rganizations that collect, use, store, and share sensitive
`
`personal data must accept responsibility for protecting the information and ensuring that it is not
`
`compromised . . . .”
`
`60.
`
`“Most of the reported data breaches are a result of lax security and the failure to
`
`create or enforce appropriate security policies, rules, and procedures. . . . Appropriate information
`
`security controls, including encryption, must be implemented and enforced in a rigorous and
`
`disciplined manner so that a data breach never occurs.”
`
`61.
`
`Indeed, here Defendant took actions to secure the affected systems after the Data
`
`Breach, but should have implemented those actions previously to prevent the Data Breach.
`
`62.
`
`The types of information Defendant acknowledges were stolen by the criminals are
`
`sufficiently sensitive and valuable to identity thieves and criminals in perpetrating identity crimes.
`
`This information can be used to perpetrate scams, victimize the persons who own the information,
`
`and commit identity theft and fraud. With a person’s name, address and birth date in hand,
`
`scammers may be able to buy the person’s Social Security number on websites that normally sell
`
`15
`
`
`
`
`Case: 1:22-cv-05325 Document #: 1 Filed: 09/29/22 Page 16 of 30 PageID #:16
`
`them to businesses conducting background checks.11 If they cannot, just by knowing your birth
`
`date and hometown, scammers can often guess most, if not all, the digits of your Social Security
`
`number.12
`
`63.
`
`Criminals can use PII to devise and employ phishing and social engineering
`
`schemes capitalizing on the genuine information stolen from Defendant to send fraudulent mail
`
`and other communications to Plaintiffs and Class members that look authentic, but which are
`
`designed to lure them into paying money or providing other information that the criminals can use
`
`to steal money.
`
`Plaintiffs Received Defendant’s Data Breach Notification Letter
`
`64.
`
`In or about April 2019, Plaintiff Ringling purchased two Samsung mobile phones
`
`from a Boost Mobile store. Her phones were registered with Samsung by Boost Mobile using her
`
`personal information.
`
`65.
`
`On September 2, 2022, Plaintiff Ringling received an email from Samsung
`
`notifying her of the Data Breach. See Exhibit 1. Plaintiff Ringling has Experian credit monitoring.
`
`Due to the Data Breach, Plaintiff Ringling plans to renew her Experian credit monitoring.
`
`66.
`
`On or about December 2016, Plaintiff Newbery purchased a Samsung mobile
`
`phone from a Verizon store. His phone was registered with Samsung by Verizon using his personal
`
`information.
`
`67.
`
`On September 2, 2022, Plaintiff Newbery received an email from Samsung
`
`notifying him of the Data Breach. See Exhibit 1. Prior to receiving the Data Breach Notice, Plaintiff
`
`Newbery subscribed to a Silver membership with DebtCleanse on a month-to-month basis. After
`
`
`11 See https://www.aarp.org/money/scams-fraud/info-2014/protect-these-numbers-from-
`scammers.html (last visited Sept. 21, 2022).
`12 Id.
`
`16
`
`
`
`
`Case: 1:22-cv-05325 Document #: 1 Filed: 09/29/22 Page 17 of 30 PageID #:17
`
`receiving the Data Breach Notice, Plaintiff Newbery upgraded his DebtCleanse monthly
`
`membership to a Gold membership to add Identity Theft Protection and Dark Web Monitoring.
`
`Plaintiff Newbery plans on renewing his DebtCleanse Gold membership due to the Data Breach.
`
`68.
`
`Plaintiffs and Class members provided Defendant with significant personal
`
`info