Dropbox Hit With Lawsuits Over April Data Breach, Users Allege Negligence

File-sharing giant Dropbox is facing a double serving of legal trouble after a data breach compromised user data in April. Two separate class action lawsuits allege the company's negligence allowed the attack to happen and caused significant harm to affected users.

Lawsuits claim "preventable" attack exposed sensitive data

The lawsuits, filed by Florida resident Ramsey Coulter and California resident Aquelia Walker, accuse Dropbox of failing to adequately protect its computer systems. They claim this failure allowed hackers to infiltrate Dropbox Sign and steal sensitive personal information, including names, addresses, emails, usernames, phone numbers, and even hashed passwords. 

Both lawsuits argue that the breach was preventable and caused significant harm to affected users. Coulter said because of the breach, “cyber criminals were able to steal everything they could possibly need to commit nearly every conceivable form of identity theft and wreak havoc on the financial and personal lives of potentially millions of individuals.” 

That includes being able to log into his personal bank accounts, mortgage accounts, and online storage where he keeps sensitive personal documents, including medical records, private photographs, and other information such as his social security number, date of birth, and bank account numbers.

Walker said in her lawsuit she is very concerned about her identity being stolen and blamed Dropbox for failing to implement adequate and reasonable cybersecurity procedures and protocols.

Concerns over delayed notification and potential identity theft

Walker's lawsuit specifically highlights the delay in notifying users about the breach. She argues Dropbox became aware of the attack in April but didn't inform users until May 2024. This delay, she claims, left users vulnerable to identity theft and other forms of financial harm.

Not only did the company fail on letting the hackers in, she argues, but also in not telling users how it discovered the encrypted files on its computer systems were impacted, how the attack occurred, the reason for a delay in notifying affected users, or how the company determined that the information had been “accessed” by an unauthorized party at all, Walker argues. 

Both Coulter and Walker express concerns about their personal information being used for malicious purposes. Coulter, a previous victim of identity theft, fears the breach has further exposed him to financial risk.

Coulter said he needed to spend a significant period of time changing several passwords, speaking with his banks, talking with the credit agencies, monitoring his bank accounts, reviewing his credit information, and checking his credit cards. 

“The likelihood of this occurring repeatedly, as a result of [Dropbox’s] data breach, has caused plaintiff emotional distress, including lack of sleep, worry, anxiety, and stress.”

Walker said the injuries the users have suffered were compounded by the fact that Dropbox did not immediately notify those affected until May 2024. She said the users have suffered losses, emotional stress, and had to spend their time trying to mitigate the risks of future theft. She said her and other users' identities are “now at substantial risk” and the “present risk will continue for the course of their lives.”

Lawsuits seek damages, security improvements, and monitoring

Both lawsuits seek compensation for damages incurred by affected users, including attorney fees, costs, and expenses. Additionally, they demand significant improvements to Dropbox's data security systems, including annual audits and long-term credit monitoring services funded by the company.

Coulter and Walker seek to represent all Dropbox users affected by the April data breach nationwide.

Data breaches prompt legal action against tech companies

The class action lawsuits against Dropbox are part of a growing trend of legal action against companies following data breaches.

Telecommunications company AT&T was hit with legal action from consumers after a March data breach compromised the personal information of about 73 million people, WCNC reports. 

Progress Software Corp. also had to face up to users of its MOVEit cloud-hosting and file-transfer service, after it “failed in its duty to protect sensitive information in connection with a data breach,” Bloomberg reported.

Back in 2022, Accellion Inc had to pay $8.1 million to settle a proposed nationwide class action lawsuit that stemmed from a data breach of its legacy file transfer product, Reuters reported.

Coulter and the class are represented by Robert Sibilia of Robert Sibilia S.B.N. Walker and the class are represented by Yana Hart, Ryan J. Clarkson, Tiara Avaness of Clarkson Law Firm, P.C.; Jennifer Czeisler and Edward Ciolko of Sterlington, PLLC; and James M. Evangelista of Evangelista Worley LLC.

The Dropbox data hack proposed class action lawsuits are Coulter v. Dropbox, Inc. Case No. 4:24-cv-02637-KAW and Walker v. Dropbox, Inc. Case No. 4:24-cv-02659-KAW, both filed in the U.S. District Court for the Northern District of California.