Western Union's Big Leak: A Class Action Over Privacy Sales

While you might expect Western Union to save your personal, private information when you use their services, you probably don’t expect the company to share it with law enforcement across the United States for training in anti-money laundering tactics, but that is exactly what they do, a new lawsuit alleges. 

By doing so, the company, along with money transfer company MoneyGram and database vendor Forcepoint, invaded customers' privacy in a way that “is anathema to California law, policy, and equity,” the lawsuit claims.

Money sharing turns to data sharing

Jose Guzman, Fortino Rutilo Jimenez, and Bertha Meza filed the proposed class action lawsuit against Western Union, MoneyGram, and Forcepoint in California federal court accusing the companies of participating “in a massive and unlawful data dragnet collection and dissemination operation that compromises the personal information of millions of unsuspecting consumers.”

They claim the money transfer companies collected the private information of consumers who transferred $500 or more between Arizona, Texas, California, New Mexico, and Mexico, and shared it with Forcepoint. Forcepoint then made the data available to law enforcement officers nationwide for training purposes. The trio said the scheme amounted to “outrageous conduct.”

American Civil Liberties Union uncovers “dragnet operation”

The lawsuit says in 2023 the American Civil Liberties Union publicly released documents showing the “unlawful data dragnet operation” was premised on facially improper “administrative subpoenas” sent by the Arizona Attorney General. 

In 2007, the Arizona Court of Appeals found the “administrative subpoenas” were invalid and illegal, the lawsuit claims, and that fact remains the same today. The lawsuit alleges Western Union, MoneyGram, and Forcepoint are all aware of that ruling, and the illegality of the data sharing procedures.

The database established allows law enforcement officers to bypass standard protocols such as receiving court orders, warrants, or subpoenas to access people’s private information, the lawsuit claims, as it gives “unfettered access to Plaintiffs’ Protected Personal Information to over 700 law enforcement entities.”

Law enforcement data collection

Law enforcement is increasingly using private firms to collect the public’s data, including their location information and social media activity. VOX reported that police are now frequently using tactics like reverse search warrants to get data from a number of people just to try and find one suspect, and most people that get looked into don’t ever find out about it. 

Jennifer Granick, a surveillance and cybersecurity counsel for the ACLU’s speech, privacy, and technology project, told the outlet that “these more mass surveillance techniques are increasingly common.”

Federal and state law enforcement representatives told The New York Times that they had used data purchased from facial recognition app Clearview “to help solve shoplifting, identity theft, credit card fraud, murder, and child sexual exploitation cases” despite not knowing much about how the technology behind the app worked and despite known cases of mistaken identity.  

The proposed class action lawsuit claims that Forcepoint acknowledges the system it uses is “designed to allow law enforcement agencies to circumvent ordinary constitutional protections because the database contains more relevant data than what would be obtained in a traditional subpoena process’ and is specifically designed to enable investigators to avoid ‘the usual subpoena process’.”

What can you do to protect your information?

Unfortunately, the laws that were designed to protect us from having our information shared without our consent were written long before the modern internet, meaning they are largely open to interpretation. 

The most assured way to protect your personal information is not to give it out, and use encrypted services such as Signal, which minimize data collection. Also be sure to check your data sharing and privacy settings, and limit what you do share both through apps and through your computer, mobile phone, or other device.

Guzman, Rutilo Jimenez, and Meza want to represent people who have been affected by the money transfer scheme from across the U.S. and are suing for violations of the California Consumer Privacy Rights Act and California Constitution Art. 1. 

They are seeking statutory penalties, damages, and injunctive relief, to “prevent this unconscionable conduct from ever occurring again,” the lawsuit claims.

The plaintiffs and proposed class are represented by Taras Kick and Tyler Dosaj of The Kick Law Firm, and Daniel Charest, Darren Nicholson, and Chase Hilton of Burns Charest, LLP.

The Western Union, MoneyGram, Forcepoint class action lawsuit is Guzman et al v. The Western Union Company et al, Case No. 5:24-cv-404, in the U.S. District Court Central District of California.