Dell Understated Amount of Information Exposed in Data Breach: Class Action
Despite Dell's assurances that a data breach of its systems doesn’t pose “significant risk” to those affected because of “limited information impacted,” the breach appears to have been “substantially broader,” alleged a negligence class action Tuesday (docket 1:24-cv-00647) in U.S. District Court for Western Texas.
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
Anna Truss of Lynnwood, Washington, received a notice dated May 9 from the company about “an incident involving a Dell portal, which contains a database with limited types of customer information related to purchases from Dell,” alleged the complaint. The notice said the computer maker didn’t believe there was a significant risk to customers “given the type of information involved” and that the data involved doesn’t include financial or payment information, email address, telephone number “or any highly sensitive information.”
Truss asserts the breach did, in fact, include financial or payment information “and significant details, giving rise to significant exposure to financial fraud and phishing attacks by which hackers can gain additional information from class members,” exposing them to potential financial fraud and identity theft of their personally identifiable information (PII). And because consumers who used the Dell Pay credit offering are required to provide Social Security numbers “and other critical PII,” it’s unclear whether Truss and class members are at continued risk of identity theft, said the complaint.
Truss bought a computer from Dell on Nov. 26 and provided “substantial” personal information to the company, including name, contact and payment information, said the complaint. In connection with her application for credit offered through Dell Pay, she gave her Social Security number, birth date and financial account information, it said. On May 24, Truss received emails and a phone call from individuals purporting to be Dell employees, alleged the complaint. The communications included “substantial details” regarding her Dell PC purchase, including date, amount paid and the methods of payment she used, it said.
The first May 24 email, “purportedly from a dell.com email address,” informed Truss of a purported issue with her payment method that prevented the payment from being processed, it alleged. The email identified the purchase date, total amount of purchase and balance due of $325.87, the amount she had paid using Dell Pay.
A second email received the same day, “purportedly from the same email address,” said, “I see that you have paid $600 for this invoice” and identified the credit card issuer Truss used for the purchase. The message said a “remaining payment of $325.87 was not captured due to a payment decline by your Comenity Capital Bank (Dell Pay).” The email identified the payment method Truss used and the amounts remitted through the payment method, then provided one of several alternative payment options for the “purported remaining balance." Those included "a PayPal link, a contact via phone so 'you can give me the credit card details so our internal team will securely charge’ the outstanding payment, or a link to the 'Dell Pay Now’ platform,” it said. The plaintiff also received a phone call, again purportedly from a Dell employee, seeking payment, the complaint alleged.
Truss “takes care” in protecting her PII from disclosure, said the complaint. Faced with the risk of unauthorized disclosure of her PII, she now must monitor her financial accounts for signs of fraud and identity theft and “devote valuable time and resources to same,” it said. As a result of the breach, she has taken steps to freeze her credit, it said.
Truss and class members provided their PII to the company with the expectation and “mutual understanding" that it would keep their information confidential and secure from unauthorized access, as stated in its privacy policy, said the complaint. The defendant knew or should have known that it was responsible for protecting their PII from disclosure, it said. Dell was under a contractual duty to adopt and implement reasonable measures to protect their PII from unauthorized access and disclosure, it said.
The plaintiff asserts claims of negligence and negligence per se, breach of implied covenant of good faith and fair dealing, and breach of duty and implied contract. She requests awards of compensatory and actual damages, trebled, in an amount over $5 million; actual, nominal, statutory and punitive damages; civil penalties; restitution and disgorgement; pre- and post-judgment interest; legal costs and attorneys’ fees; and an order enjoining Dell from continuing to engage in the wrongful acts described. Dell emailed Wednesday it doesn't comment on pending litigation.