Claire’s Cyber Attack LIT Settlement

Claire’s Cyber Attack LIT Settlement

Claire’s has agreed to resolve claims of data mismanagement in a 2020 hacking theft that compromised sensitive customer credentials with a $350000 settlement. This is going to benefit consumers whose personal information might have been compromised between 7th April and 17th June 2020 in Claire’s data breach.

Settlement Website: CyberAttackLITSettlement.com
Objection Deadline: 08/25/2022
Exclusion Deadline: 08/25/2022
Claim Form: https://www.cyberattacklitsettlement.com/claims_filing.html
Deadline For Submitting Claim Form: 09/24/2022
Final Hearing Date: 09/27/2022
Settlement Amount: $350K
Potential Claim Amount: Up to $3000
Proof Of Purchase: Last four digits of the affected card(s) or unique identifier from notice and receipts or other records for each section of claim will be required for maximum payout. 

Claire’s is Illinois-based jewelry, accessory, and toy retailer having physical stores in nearly 3500 locations worldwide alongside e-commerce operations. It fell prey to a data breach in 2020 which lasted for at least seven weeks. As per Bank Info Security, hackers infiltrated the company’s Salesforce Commerce Cloud environment allowing third parties to insert a malicious code onto the e-commerce platform to steal payment card data.

Netherlands-based security firm Sansec spotted and reported the hack attack directly to Claire’s on June 11th. This firm specializes in searching for signs of Magecart-style attacks where the attackers sneak attack code onto sites accepting payment cards. Some other victims of similar attacks include Ticketmaster UK and British Airways. The security firm revealed that a data scraping code was added to Claire’s website which was capable of obtaining information entered by customers during checkout and sending it out of Claire’s system.

On being informed about the issue Claire’s hired an outside security firm to look into the matter. The attack on Claire’s occurred right after the COVID lockdown. Claire’s confirmed the breach to Information Security Media Group adding that they have removed the code and taken additional steps for reinforcing their platform’s security. The accessory giant also added that they have notified both card issuers as well as law enforcement agencies and are working diligently to determine the involved transactions to notify the individuals.

However, multiple consumers took legal action against Claire’s arguing that the data breach could have been prevented by the company. Plaintiffs in the data breach class action lawsuit added that the company’s lax security caused the data breach. Illinois resident Julia Rossi blamed both the shoddy security system of Claire’s that enabled the breach and the insufficient compensation offered by the company wherein they shirked responsibility towards the customers. She added that customers had to face financial losses because of Claire’s shortcomings as their sensitive information fell into the wrong hands.

Rossi made multiple online purchases through the jewelry store website of Claire’s and provided her personal information including her name, address, credit card number, and more. She experienced an array of problems after this information was exposed in the June 2020 data breach. Rossi was flooded with phishing calls and spam mail from untrustworthy and unwanted sources. Next, she spent hours monitoring her financial accounts, reviewing credit reports, and being on the lookout for identity theft and fraud to protect herself. Rossi wouldn’t have shared her personal information with the company had she been made timely aware of Claire’s data breach.

It was Claire’s legal duty to protect its customer’s data. Moreover, given the high-profile data breaches experienced by other companies recently, Claire’s should have been more cautious about the risks involved. Rossi adds that Claire’s became aware on 12th June 2020 that a computer code has been added to the website by a hacker allowing them to obtain customer’s personal information provided during checkout including name, phone number, address, email address, payment card number, verification code, expiration date, etc. This data breach was active from 7th April to 12th June but Claire’s didn’t inform its customers about the same until 7th July.

Waiting almost an entire month to inform customers robbed the latter of valuable time which could have been used to protect their identity. The compromised information in Claire’s data breach can be easily sold on the dark web to thieves and hackers who can use this information to commit identity theft and fraud. The class-action lawsuit alleges that if the information falls into the wrong hands, it can cause serious financial injury to consumers which can either take years to repair or might often be irreparable. By being timely notified, consumers could have changed their credit card numbers and passwords.

Claire’s jewelry store officials offered a year’s identity theft insurance to its customers but this is “woefully inadequate” as per Rossi. Plaintiffs Kelvin Holmes and Delilah Parker were notified of Claire’s data breach in early July which was almost a month after Claire’s came to know about the data breach. Had the retailer not made the delay, the plaintiffs could have used this valuable time in strengthening their security parameters to fight identity theft and fraud. Both Holmes and Parker made purchases on Claire’s website in May and were informed about their credentials being exposed in July. They allegedly suffered from fraud by being denied the valuable time to combat the data breach.

Parker had to bear more than $700 in fraudulent charges. Although her bank acknowledged these charges to be fraudulent it took considerable time for these expenses to be reimbursed. Holmes didn’t suffer from fraudulent charges but has been inundated with suspicious communications and phishing emails because of his compromised personal data. The plaintiffs argue that Claire’s failed to protect consumer data despite being aware of the prominence of these hackers since 2010 and the risk involved.

Though Claire’s hasn’t confessed to any wrongdoing, it has agreed to resolve all allegations with a settlement fund ranging up to $350000. This amount will be completely used to pay consumer claims. Administration expenses, attorney’s fees, and other costs will be covered by additional payments from the company. According to the settlement terms, class members are eligible for payments made on account of expense reimbursement and extraordinary expense reimbursement.

The first type of reimbursement includes compensation for interest, bank fees, mileage up to three hours of lost time @ $19/hour, postage, $19 for each card to whom fraudulent charges had been reimbursed, and credit monitoring and identity theft protection up to $50. The maximum ceiling of expense reimbursement per class member is $250. Extraordinary expense reimbursement payments will compensate customers for unreimbursed monetary losses suffered by them because of the data breach. This will include both unreimbursed identity theft expenses and fraudulent charges which have been capped at $3000 per claimant. Class members are also eligible to receive a year’s free Experian’s IdentityWorks identity protection services. The settlement notice sent to each class member contains a link and redeemable code for the services.

ADVERTISEMENT