A lawsuit accused Samsung of failing to respond to a cyber intrusion in early 2022, resulting in the theft of personally identifiable information (PII) from US customers in a second attack months later in July.
The suit [PDF]filed this month in a federal district court in Northern California seeking class-action status, alleges that Samsung unnecessarily collects PII from its customers and, as demonstrated in the aforementioned July cyber heist, does not does not adequately protect the data it collects.
The theft of that customer data, which the lawsuit says includes personal records on more than half of Samsung’s U.S. user base, stems from a cyberattack on the U.S. arm of the Korean tech giant in February. In this case, the notorious Lapsus$ cyber extortion gang stole and leaked nearly 200GB of Sammy’s internal documents and files.
Although no client PII was included in the published documents, source code for, among other things, Samsung Knox’s security management framework, its bootloader, and online account creation and authentication has been taken. The lawsuit alleges that Samsung’s inability to consolidate its systems following this exfiltration led directly to an intrusion in July in which personal data was harvested from the chaebol’s servers by miscreants.
Samsung “was aware that fraudsters and criminals who had access to stolen source codes and authentication-related information (among other confidential data) could break into defendant’s weak systems,” the suit alleges.
Earlier this month, Samsung admitted its network had been infiltrated weeks before in July and data had been stolen. We asked the company for comment, and got no response.
No reason to have all that PII
The lawsuit may have been sparked by Samsung’s pair of security snafus, though the core of the case centers on the giant unnecessarily forcing customers to register for Samsung accounts online and provide PII to unlock the basic functionality of their devices.
Whether it’s smartphones, watches, TVs, printers, or other hardware, the lawsuit alleges that drivers, updates, and other features critical to the device’s operation are locked behind customer registration.
“Consumers are therefore compelled to register accounts,” the lawsuit states. He claims that Samsung collects data including names, birth dates, addresses, geolocation data, emails, phone numbers and device information.
The suit argues that the collection of this data is unnecessary; instead, Samsung hooks it to “increase profits, gather customer insights, and be able to track their customers and behaviors.”
Based on Samsung’s marketing and data privacy policies, the lawsuit says, customers have a reasonable expectation that even if they transmit unnecessary data, Samsung will protect it.
According to the court record, the clients “relyed to their detriment on [Samsung’s] consistent representations and omissions regarding data security, including failure to alert customers that its security protections were inadequate, and that [Samsung] would forever store complainant and customer PII, failing to archive, protect, or at the very least warn consumers of the anticipated and foreseeable data breach. »
The lawsuit alleges that Samsung violated multiple consumer protection and competition laws in Michigan and California (where the two named plaintiffs reside). Additionally, the lawsuit alleges that Samsung deceived customers through concealment, intentionally misrepresented its products, and breached express and implied warranties.
The plaintiffs expect at least $5,000,000 in damages and costs, as well as requiring Samsung to submit to external audits and penetration tests, better train its employees to resist cyberattacks and social engineering, and destroying data belonging to group members.
Samsung’s response to the complaint is expected in two weeks on October 11. ®
