Data Breach Complaint Faults Samsung’s ‘Unconscionably Vague and Self-Serving’ Response
The 362-page consolidated class action filed Monday in U.S. District Court for New Jersey in Camden arising from last summer’s Samsung data breach (see 2305230049) includes previously undisclosed detail on its allegedly lax security procedures and the questionable manner in which it disclosed the hack to its customers. The consolidated complaint (docket 1:23-md-03055) asserts claims on behalf of a nationwide class of Samsung account holders, plus state subclasses in all 50 states.
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
Samsung inexplicably waited until Sept. 2, the Friday before Labor Day, before disclosing to customers, mainly through email notifications, that their personally identifiable information (PII) had been exposed to hackers, said the complaint. This was when “much of the U.S. was already focused on the holiday weekend,” it said. “Because mass email messages often go directly to junk or spam folders or look innocuous or unimportant enough to be deleted without being read,” it’s likely that many of the customers affected by the data breach never received Samsung’s notification, it said.
Despite being one of the world’s largest tech companies, Samsung claims it didn’t discover the breach until Aug. 4, “weeks after the fact,” said the complaint. “Samsung then compounded the damage inherent in its belated discovery of the breach by waiting nearly an additional month” to disclose the breach to affected customers and “the public at large,” it said.
Samsung’s Sept. 2 disclosure was “inexcusably late” but also “unconscionably vague and self-serving,” said the complaint. Samsung’s carefully worded statements “failed to shed light on many of the details” surrounding the data breach, it said. It didn’t address “crucial aspects,” such as the origin of the breach, how it was uncovered, the scope of the Samsung systems affected or the reasons for the nearly month-long delay in disclosing the hack, it said. Nearly nine months after the disclosure, Samsung customers are still in the dark about the number of accounts affected, the extent of the customer data exposed and the precise nature of the PII compromised, it said.
When Samsung disclosed that outside actors “acquired” data, “it meant that hackers exfiltrated the data,” said the complaint. If hackers stole data, “the network was not set up properly, Samsung did not protect that data, and the hackers deeply penetrated” Samsung’s network, it said. Samsung’s statements that in some cases, the hackers took customer names, contact and demographic information and date of birth and product registration information “suggests Samsung was trying to limit what it shared with the public about the breach,” it said.
Samsung’s notifications fell “woefully short of the requirements imposed by certain state data security statutes,” including the California Civil Code, Section 1798.82(d)(1), said the complaint. “Timely and complete notification of a data breach is essential so that consumers can take steps to prevent misuse of the information, mitigate harm that has already occurred, and avoid additional harm,” it said. When consumers are promptly notified of a data breach that may have included sensitive personal information, “they can check for signs of identity theft, such as new accounts or loans in their name,” it said. “Consumers can also take protective measures such as changing passwords on affected accounts to prevent unauthorized access.”
It’s likely that criminals “exfiltrated highly sensitive geolocation data” in the breach, but due to Samsung’s “wholly inadequate disclosures,” consumers still don’t have a “clear understanding” of what data was exposed, said the complaint. The exfiltration of geolocation data “poses significant and grave concerns,” it said. Where geolocation data can be tied to a particular individual, “the harms associated with the distribution of detailed geolocation data may outweigh countervailing benefits to consumers or competition,” it said. Precise geolocation data tied to an individual “can invade the person’s privacy,” and can be used to “maliciously track and target a person and his or her family,” it said.
In the years immediately preceding the data breach, Samsung “knew or should have known that its computer systems were a target for cybersecurity attacks,” said the complaint. “Had Samsung been diligent and responsible, it would have known about and acted upon warnings published in 2017 that 93% of data security breaches were avoidable,” it said. Data security experts say the vast majority of data breaches are preventable if companies follow widely available advice on data security practices, it said: “Upon information and belief, Samsung did not follow this advice.”
Samsung didn’t publicly comment on Monday’s consolidated complaint. Its response to the complaint is due July 21 (see 2305090038), when it’s expected to assert plans to seek to compel all the individual claims to binding arbitration.