NEW ORLEANS – A class action lawsuit has been filed against eBay after class members claim it failed to protect personal information when it suffered a data breach.
In February or March, eBay’s files were accessed by identity thieves, without eBay’s permission, the complaint says. The thieves, at a minimum, had access to and reportedly copied customer names, encrypted passwords, email addresses, physical addresses, phone numbers and dates of birth, plaintiffs say.
Collin Green claims eBay did not notify its customers of the security breach until May 21, but only after the security breach had been reported by independent Internet sources, according to a complaint filed July 23 in the U.S. District Court for the Eastern District of Louisiana.
Green claims the security breach was the result of eBay’s inadequate security in regard to protecting identity information of its millions of customers.
EBay’s failure to properly secure this information has caused, and is continuing to cause, damage to its customers, according to the suit.
“EBay was aware of the value of the personal information it held, and the threat to the security of that information long before the 2014 security breach,” the complaint states.
Green claims eBay stated in its first quarter 2014 10-Q SEC filing that security breaches were a constant threat.
After the data breach, eBay asked its customers to reset their passwords, according to the suit.
“Industry security experts have lambasted eBay for its failure to properly secure the data in its possession,” the complaint states.
Green claims eBay claims it encrypted passwords, but only in the least safe method.
“According to industry reports, eBay chose to use the cheaper security method of encryption as opposed to hashing, with full knowledge that hashing was much more secure and preferred by security experts,” the complaint states. “Once a hacker steals the encryption key, the complex nature of a ‘strong’ encrypted password is irrelevant as the hacker can simply reveal the password with the encryption key.”
With hashing, the hacker still cannot access the password, according to the suit.
Green claims eBay breached its implied contract, breached its fiduciary duty, violated the Gramm-Leach-Bliley Act, violated multi-state privacy laws and violated the federal Fair Credit Reporting Act.
Green is seeking class certification and compensatory and consequential damages with pre- and post-judgment interest. He is represented by Charles F. Zimmer II, Eric H. O’Bell and Bradley T. Oster of O’Bell Law Firm LLC.
The case has been assigned to District Judge Susie Morgan.
U.S. District Court for the Eastern District of Louisiana case number: 2:14-cv-01688