Case Overview: A class action lawsuit has been filed against Affirm, alleging negligence in data security practices led to a data breach that exposed customer information.
Consumers Affected: Affirm customers whose personal information was compromised in the data breach.
Court: U.S. District Court for the Northern District of California
California-based Affirm, a popular buy now pay later platform, is facing legal action from a New York customer. The lawsuit alleges that Affirm failed to secure sensitive personal information, leading to a data breach in June that compromised the personally identifiable information (PII) of its customers.
Plaintiff Douglas Clemmerson, a resident of Parker County, Texas, argues that Affirm was negligent in handling customer data and failed to provide timely notice of the breach, further compounding the damage.
Clemmerson's lawsuit claims that Affirm, a financial technology company that offers lending and consumer credit services through its online platform, was negligent in its partnership with Evolve bank. Evolve, a third-party bank that works with companies like Affirm, is accused of having "deficient data security measures." Affirm transferred and entrusted customer data, including PII, to Evolve as part of their business relationship.
Despite Clemmerson's efforts to protect his personal information, he claims that his PII was exposed in the data breach due to Evolve's lax data security practices. He argues that Affirm could have prevented or mitigated the impact of the breach by choosing a banking partner with stronger security measures.
Following the breach, Affirm offered Clemmerson 24-month credit monitoring and identity theft protection services. However, Clemmerson contends that this measure is inadequate, as the risks of identity theft persist for a lifetime. He also criticizes Affirm for placing the burden of protection on the affected customers.
“Upon information and belief, Affirm made no, or insufficient, efforts to ensure that Evolve complied with the requisite data security standards, and all federal and state laws regarding PII protection, before entrusting its clients’ data to Evolve,” the lawsuit states.
Clemmerson's concerns are further amplified by the fact that following the breach, he was notified that his information was found on the dark web. Additionally, he experienced a spike in spam phone calls and emails.
The lawsuit also points to a lack of transparency from Affirm regarding the scope of the breach, the specific data stolen, and the steps being taken to secure customer information. This lack of information leaves Clemmerson and other affected customers in the dark and unable to fully protect themselves from further harm.
“Plaintiff and the Class Members remain, even today, in the dark regarding the scope of the data breach, what particular data was stolen, beyond several categories listed in the letter as “included” in the Data Breach, the particular ransomware used, and what steps are being taken, if any, to secure their PII and financial information going forward,” the complaint argues.
Around June 25, 2024, Evolve confirmed that it had suffered a ransomware attack, allegedly perpetrated by the Lockbit ransomware gang. The breach resulted in the release of illegally obtained data, including PII, on the dark web. The stolen data potentially included names, Social Security numbers, dates of birth, account information, and other personal details.
Several fintech startups, including Affirm, were affected by the Evolve data breach. Industry reports indicate that customers of Branch, EarnIn, Marqueta, Melio, Mercury, Yieldstreet, and Wise may also have had their PII stolen.
Stolen PII is one of the most valuable commodities on the criminal information black market. According to Experian, a credit-monitoring service, stolen PII can be worth up to $1,000.00 depending on the type of information obtained. It can take victims years to spot or identify PII theft, giving criminals plenty of time to milk that information for cash.
The lawsuit further alleges that Evolve's poor cybersecurity practices are not new and have previously led to regulatory action. The St. Louis Federal Reserve Bank and the Arkansas State Banking Department launched an enforcement action against Evolve in 2023, stemming from their safety and soundness examination. This action mandated a plan to correct information technology security deficiencies.
The Affirm breach is part of a larger trend of increasing data breaches across various industries, targeting consumers' personal information. Despite significant investments in cybersecurity, data breaches continue to rise dramatically.
The evolution of ransomware attacks, where hackers not only lock up data but also steal it, has made these attacks more damaging and widespread. Even less skilled cybercriminals can now participate, leading to larger and more frequent breaches.
As data breaches increase, so do legal actions against companies perceived to be neglecting their responsibility to protect customer information. Lawsuits similar to the one against Affirm have been filed against other companies like National Public Data, MarineMax, and HealthEquity.
In one case, National Public Data is defending a class action lawsuit over a breach that exposed the personal information of over 2 billion people. Health Equity faces accusations of negligence in a data breach that allegedly led to identity theft and fraud.
In the Affirm data breach class action lawsuit, Clemmerson wants to represent consumers from across the U.S. in his claims of negligence, breach of implied contract, and unjust enrichment. He’s seeking damages, injunctive relief, fees, and costs.
Case Details
Plaintiffs' Attorneys
Have you been affected by the Affirm data breach or other data breaches in the past? Share your thoughts and experiences in the comments below.
Loading...
Injury Claims keeps you informed about lawsuits large and small that could affect your daily life. We simplify the complexities of class actions lawsuits, open class action settlements, mass torts, and individual cases to ensure you understand how these legal matters could impact your rights and interests.
If you think a recent legal case might affect you, action is required. Select a class action lawsuit or class action settlement, share your details, and connect with a qualified attorney who will explain your legal options and assist in pursuing any compensation due. Take the first step now to secure your rights.