10 of the Biggest Data Breach Lawsuits in U.S. History
A data breach is a serious security violation, which happens when unauthorized people gain access to sensitive, protected, and confidential data and either view, copy, transmit or steal the data. These data breaches can happen when individuals hack a system for personal gain or malicious reasons like organized crime or politically motivated reasons. They can also happen because of poorly configured security systems. They often involve personal and financial information like credit cards, bank information, health information, company trade secrets, or stolen intellectual property. Data breaches can lead to different criminal activities like identity theft.
After the world became a global village due to the internet, data became a valuable commodity. Nowadays, almost every website requires people to give personal details to sign into an account. All companies and giant corporations moved from the physical filing of information to digital information storage. Banks have become mobile, and people can deposit and withdraw money from their phones. The internet runs the world. When a company doesn’t protect its clients from data breaches, consumers can file lawsuits against negligent companies. Companies like Equifax, Amazon, T-mobile, and Tiktok have had to pay millions to settle data breach lawsuits against them. Here are 10 of U.S history’s most significant data breach lawsuits and their settlements.
10. Office of Personnel Management(OPM) – $63 Million
In 2022, The Office of Personnel Management and its security contractor Peraton agreed to a $63 million settlement to resolve a lawsuit against them. In 2014 and 2015, OPM was hacked, while Peraton was hacked in 2013 and 2014. OPM is a federal agency that provides human resource functions for federal government employees. It is responsible for retirement, insurance, and benefits for government employees. The hacks compromised the personal information of then-current and former federal government employees, contractors, and people who had applied for federal employment. In 2015, AFGE filed a class action lawsuit against OPM, alleging that they disobeyed security policies and acted oblivious to warnings, leading to data breaches. In the lawsuit, AFGE accused the Office of Personnel Management of using poor data security practices and poor private sector strategies to solve its security problems.
They accused OPM of neglecting their responsibilities to guard personal information for government employees despite numerous warnings about their poor data security policies that could lead to a massive data breach. The OPM did not reveal the extent of the breach or how many employees were affected, nor did it reveal the stolen information. According to AFGE, class members could receive up to $10,000 for out of pocket expenses.
9. TikTok – $92 Million
In 2021, Tiktok’s parent company ByteDance agreed to a $92 million settlement to resolve claims that the company had harvested its user’s data without consent and sold it to other third-party companies. The lawsuit was an aggregation of 21 other lawsuits filed against many minors that accused Tiktok of stealing personally identifiable data from Tiktok users. Court documents show that the plaintiffs filed the case in the U.S District Court of Illinois, and it stated that Tiktok uses a complex artificial intelligence system and facial recognition features that determine the demographics of users like age, sex, and race to make recommendations for content and profiles that users can follow.
The plaintiffs accused the company of violating the California Biometric Information Privacy Act, which prohibits companies using facial recognition features from identifying users and adding them to a faceprints database without explicit consent. The $92 million settlement applied to 89 million Tiktok users in the U.S, but after attorney fees, each user would walk away with at least 96 cents.
8. Anthem – $115 Million
In 2018 Anthem agreed to a $115 million settlement to resolve a lawsuit over a 2015 hack that affected around 78.8 million people. At the time of the lawsuit, this settlement was the most significant data breach settlement in U.S history. Anthem, a giant insurance company in the U.S, agreed to the settlement after a lawsuit was filed against them that alleged that the insurer failed to adequately and reasonably protect its data systems. They were accused of failing to take necessary steps to stop the data breach from happening and subsequently failed to disclose to customers that they did not have enough security systems in place to protect their data.
According to Health Leaders, the settlement included $15 million to cover out-of-pocket expenses by class members. The company was also ordered to buy at least two years of credit monitoring services for class members.
7. Yahoo – $117.5 Million
In September 2016, Yahoo announced a data breach in 2014. The data breach affected 500 million users, and the hackers stole personal information like usernames, passwords, birth dates, and security questions and answers. A week later, Edward McMahon, a lawyer, announced that he had filed a negligence lawsuit against the company for failing to protect consumers’ personal information and to inform them. The lawsuit accused Yahoo of failing to give consumers timely, accurate, and adequate notice of the breach and that they were in breach of implied contract and violation of California’s Unfair Competition law.
In August 2020, the class action finally ended when Yahoo agreed to pay a $117.5 million settlement. The settlement resolved the claims of around 194 million class members. According to The National Law Review, the court pointed out the difficulty in reaching the settlement amount because the case focused on multiple data breaches spanning a period of five years, unlike other lawsuits where the company is only accused of one data breach.
6. Morgan Stanley – $120 Million
Morgan Stanley, a U.S financial services giant, agreed to pay a $60 million settlement to resolve a class action lawsuit following two data breach incidents that affected 15 million clients. The company also paid a $60 million fine to the Office of the Controller of Currency for failures in data protection. In 2021, Morgan Stanley was sued for negligence that resulted in the two data breaches. Both breaches happened when the company failed to properly wipe information from IT equipment containing sensitive data before selling them. The lawsuit alleged that when one of the third-party purchasers of the equipment gained access to sensitive data from the equipment, they informed the company, but it did not take any action. The company did not inform the affected clients of the breaches until 2020 and 2021.
The settlement and the fine bring the amount Morgan Stanley agreed to pay for the data breaches to $120 million. According to Reuters, class members would receive up to $10,000 as reimbursement for out-of-pocket expenses. They were also entitled to fraud insurance coverage for at least two years.
5. Uber – $148 Million
In 2018, Uber agreed to a $148 million settlement to resolve a lawsuit claiming that the company covered up a data breach in 2016 that affected over 25 million app users, including drivers and customers in the U.S. In 2017, Uber announced that unauthorized persons had hacked it and that the hackers had downloaded personal information including emails, mobile numbers, and names of 57 million users worldwide including information about 600,000 drivers. Instead of addressing the incident, Uber paid the hackers $100,000 to keep the breach secret.
According to NPR, the company was sued by attorney generals from all 50 states in the U.S, and the $148 million settlement would be split among all of them. The company also agreed to upgrade its data security practices and provide security updates to the states for two years.
4. Home Depot – $179 Million
In 2014, Home Depot was hacked, and privileged information, including credit card numbers and email addresses from Home Depot customers, was stolen. The hack was among the most significant retail data breaches ever reported involving a point of sale (POS) system. The hackers carried out the cyberattack using credentials they had stolen from a Home Depot vendor. They used the vendor’s credentials to access the Home Depot network and elevated the privileges. Then, they went undetected for months until they found a way into the company’s POS system. They then downloaded malware to the system that recorded credit card details as customers paid. They extracted the information from their servers for five months before someone noticed.
The company was sued for the breach of customer data security and, in 2020, agreed to settle the suit for $17.5 million. The breach cost the company millions of dollars to address. According to ArcTitan, the company has spent over $134 million to pay several credit card companies and banks. The $134 million is not inclusive of the settlement amount or legal fees. It is estimated that Home Depot spent more than $179 million to settle all the costs stemming from the 2014 data breach. That amount does not include the damages the company’s reputation suffered due to the breach.
3. Capitol One – $190 million
In March 2019, Capital One, a banking and financial services company, was hacked in one of the country’s most significant financial security breaches ever. The hacker accessed the personal information of more than 100 million clients and bank applicants. These hacks went undetected for months, and the company only made this information public in 2019. Paige Thompson, a former engineer and Amazon cloud employee, hacked capital one and accessed the personal information of Capital one clients. She accessed private information, including credit card applications belonging to multiple private and small business accounts. Thompson then started mining the data and being paid through a cryptocurrency wallet. She was arrested and convicted of wire fraud, among other offenses.
Capital One was also sued for the inadequate security measures that led to the data breach. According to Morgan and Morgan, the company agreed to pay a $190 million settlement for the class action suit. The bank agreed to enhance its cloud security. Class members were eligible for up to $25,000 for out-of-pocket expenses incurred.
2. T-Mobile – $350 Million
In 2022, T-Mobile agreed to pay a $350 million settlement to resolve multiple class action lawsuits stemming from a data breach in 2021 that affected 76 million people. In August 2021, the company announced that it had experienced a data breach. The hacker gained access to personal information belonging to at least 76 million customers who had applied for credit with the company. They accessed customers’ names, phone numbers, addresses, social security and tax numbers, account information, mobile phone identifier numbers, pins, and personal unlock codes. Multiple people sued the company, and the lawsuits were consolidated into multidistrict litigation. The lawsuit accused the tech giant of not doing enough to prevent data breaches.
According to Class Action, in addition to the $350 million cash settlement for affected customers, T-Mobile agreed to spend at least $150 million to strengthen its data security measures over the next few years. The $150 million does not include the amount already budgeted for cybersecurity. Class members can claim up to $25,000 for out-of-pocket expenses incurred from the breach. The settlement includes at least two years of free identity defense services.
1. Equifax – $575 Million
In 2019, Equifax agreed to a $575 million settlement to resolve a lawsuit from the Federal Trade Commission and the U.S Consumer Financial Protection Bureau over a data breach that affected over 140 million people in 2017. In the lawsuit, the FTC accused Equifax of being negligent and failing to secure the personal information of millions of people stored in its database. The FTC alleged that the company knew of a security vulnerability in a database containing personal consumer data but failed to patch the security vulnerability for months.
It allowed unauthorized individuals to access the database and steal social security numbers, dates of birth, names, payment card numbers, and expiration dates belonging to 147 million consumers. According to the federal regulators, Equifax did not implement basic security measures like segmenting its database servers to block access to parts of its network in case of a breach and failing to have strong intrusion protections for databases. Equifax could have prevented the data breach if it had done this.
According to the FTC, Equifax agreed to pay $575 million as part of a global settlement with the FTC, CFPB, and 50 U.S states. As part of the settlement, $300 million was for a fund providing credit monitoring services to people affected. $175 million would be paid to 48 states, and $100 million in civil penalties would be paid to CFPB. The court also ruled that Equifax would pay an additional $125 million if the initial settlement were insufficient to compensate consumers.