Petals of Discontent: Teleflora Faces Lawsuit Amid Major Data Breach

A Maryland man is blooming mad after he says a Teleflora data breach saw him hit with more than $1,000 in fraudulent charges on his account.

Jonathan Cummings is the owner of one of more than 10,000 businesses that have contracts with Teleflora, a delivery service which brokers orders to local florists for delivery.

In a proposed class action lawsuit filed against the company on March 27, he alleges Teleflora was responsible for a data breach that saw him and other business owners’ private information exposed, including names and social security numbers. 

Cummings says the data breach not only saw him and others defrauded, he says he also spent hours of valuable time trying to minimize the damage from the breach.

Delayed notification and inadequate disclosure of data breach

Cummings says, in order to do business with Teleflora, he and other florists must provide their names and social security numbers. However, he says the company was negligent with the data, and held it in its computer systems unencrypted.

He says he got a letter from Teleflora on March 13 advising him of a data breach at the company. However, he alleges that letter didn’t give him enough information to secure his privacy.

“Omitted from the [letter] was the date of the data breach, the identity of the cybercriminals who perpetrated the cyber-attack, the details of the root cause of the data breach, the vulnerabilities exploited, why it took nearly an entire year from the day of the data breach to inform impacted individuals that their information was involved, and the remedial measures undertaken to ensure such a breach does not occur again,” Cummings said in his lawsuit. 

Cummings adds that he believes he and other people’s private information was sold on the dark web. He says he noticed that his account suffered more than $1,000 in fraudulent charges, and he started getting an increase in spam calls and emails. Meanwhile, Cummings said he poured hours into dealing with the breach.

“This time has been lost forever and cannot be recaptured,” he says.

Teleflora criticized for exposing sensitive information

Teleflora should have known that the private data it collected would be targeted by cybercriminals, Cummings says.

Instead, he says the company failed to safeguard the information, causing “long lasting and severe” ramifications for its florist clients.

“Once [personally identifiable information] is stolen–particularly Social Security numbers––fraudulent use of that information and damage to victims may continue for years,” he says.

Recent incidents heighten concerns over data security

A number of large companies have recently been hit with data breaches, and have settled them for large amounts. 

Recent high profile data breaches at other companies include one at T-Mobile, with 37 million records exposed, and one at 23andMe, with 20 million records exposed, the lawsuit says.

In December 2022, Equifax agreed to a settlement that included up to $425 million to help people affected by a data breach that exposed the personal information of 147 million people in 2017. Earlier this month, AT&T was hit with a proposed class action lawsuit by a customer who says the carrier allegedly ignored a data breach involving 73 million users.  

Plaintiff seeks redress and improved security measures

Cummings is looking to represent anyone in the United States whose personally identifiable information was accessed by an unauthorized party as a result of the data breach reported by Teleflora in March 2024 

He’s suing for negligence, breach of implied contract and breaches of privacy laws and is seeking certification of the class action, damages of more than $5 million, fees, costs and a jury trial – as well as an order forcing the company to improve its data security practices. 

The plaintiff and proposed class is represented by John J. Nelson of Milberg Coleman Bryson Phillips Grossman PLLC. 

The Teleflora data breach class action lawsuit is Cummings et al., v. Teleflora LLC, Case No. Case 2:24-cv-02511 in the U.S. District Court for the Central District of California.