A class action lawsuit has accused Samsung of failing to address a data breach in early 2022, leading to the theft of US customers’ personally identifiable information (PII) in a second attack earlier this month.
The suit (PDF), filed in US District Court for the Northern District of California, alleges that Samsung unnecessarily collects PII from its customers and, as demonstrated in the aforementioned September cyberattack, fails to adequately protect the data it collects.
The theft of the data, which the suit claims includes PII from more than half of Samsung’s US customer base, stems from a cyberattack against the Korean tech giant’s US arm in February. In that case, notorious cyber extortion gang Lapsus$ stole nearly 200GB of internal documents and files.
While no customer PII was included in the stolen data, source code for Samsung’s security managed framework Knox, its Bootloader, and data surrounding account creation and authentication was taken. The suit alleges that Samsung’s failure to shore up compromised systems led directly to the September attack.
Samsung “was aware that the fraudsters and criminals who had access to the stolen source codes and authentication-related information (among other confidential data) could penetrate Defendant’s weak systems,” the suit alleges.
We’ve asked Samsung to comment, but haven’t heard back.
No reason to have all that PII
The suit may have been triggered by Samsung’s pair of breaches, but the legal core of the case accuses the company of unnecessarily requiring customers to register for Samsung accounts and provide PII to unlock basic features of their devices.
Whether smartphones, watches, TVs, printers or other hardware, the suit alleges that drivers, updates, and other features essential to device operation are locked behind customer enrollment.
“Consumers are therefore forced to register accounts,” the suit says. It claims that Samsung collects data including names, dates of birth, addresses, geolocation data, emails, phone numbers, and device information.
The suit argues that collecting that data isn’t necessary; instead Samsung snags it to “increase its profits, gather information regarding its customers, and be able to track their customers and their behaviors.”
Based on Samsung’s marketing and data privacy policies, the suit said, customers have a reasonable expectation that even if they’re handing over unnecessary data, Samsung is going to protect it.
According to the court filing, customers “relied to their detriment on [Samsung’s] uniform representations and omissions regarding data security, including failure to alert customers that its security protections were inadequate, and that [Samsung] would forever store Plaintiffs’ and customers’ PII, failing to archive it, protect it, or at the very minimum warn consumers of the anticipated and foreseeable data breach.”
The suit alleges that Samsung violated multiple Michigan and California (where the two named plaintiffs reside) consumer protection and competition laws. In addition, the suit alleges that Samsung deceived customers by concealment, intentionally misrepresented its products, and breached expressed and implied warranties.
The plaintiffs are asking for $5,000,000 in damages, as well as requiring Samsung to submit to external audits and penetration tests, better train its employees to resist cyberattacks and social engineering, and requiring it to destroy data belonging to class members.
Samsung’s response to the class action complaint is due in two weeks on October 11. ®