Retail giant Walmart has been slapped with a lawsuit over allegations that it breached the California Consumer Privacy Act (CCPA).
The company has been accused of causing “significant injuries and damage” to customers as a result of an unknown data breach, a breach that Walmart says never occurred.
- Best antivirus: keep your data and devices safe from hackers
- What to do after a data breach: here are the steps you should take
- Latest: Two top VPNs just pulled out of Hong Kong — here's why
The case, filed in the U.S. District Court for the Northern District of California July 10, claims that hackers were able to breach the official Walmart website and harvest customer data, as reported by Infosecurity and Bloomberg Law.
The suit doesn't specify when the alleged breach took place, and doesn't specify any total monetary damages sought.
It’s claimed that the hackers stole personal information such as the names of customers, home addresses and financial information in order to sell it to other cybercriminals on the dark web.
The lawsuit reads: “As a result of defendants’ wrongful actions and inactions, customer information was stolen. Many customers of Walmart have had their PII [personally identifiable information] compromised, have had their privacy rights violated, have been exposed to the risk of fraud and identify theft and have otherwise suffered damages.
“Further, despite the fact that the accounts are available for sale on the dark web, and Walmart’s website contains multiple severe vulnerabilities through which the data was obtained, Walmart has failed whatsoever to notify its customers that their data has been stolen.”
While the suit doesn’t specify the exact number of customers who have had their data breached in the alleged hack, the suit says it’s “at least in the thousands.”
Under the California Consumer Privacy Act (CCPA), Walmart could potentially be made to pay $750 to every customer who was affected by the breach.
As per the Bloomberg report, Walmart denies that the breach ever happened and will argue against the claims in court. A spokesperson told Bloomberg: "Protecting our customers’ data is a top priority and something we take very seriously.
“We dispute the plaintiff’s allegations that the failure of our systems played any role in the public disclosure of his personally identifiable information.”
Salesforce and Clearview also sued
Walmart joins a host of other household names that have faced lawsuits as a result of California’s new privacy laws, including Salesforce and Clearview.
Jake Moore, a security specialist at ESET, told Tom's Guide: "Companies of this magnitude and stature need to understand the risk to their customers and although we don’t want to see anyone go out of business, it can help other companies minimise the risk and learn from their mistakes and future-proof them.
"Once personal information is stolen it is never retrieved completely. Furthermore, most of it, such as your name or date of birth, cannot be changed as easily as a compromised password or bank card number. It may sound trivial but fraudsters can do a lot of damage with a list of customer data especially when identity theft is so rife too."
- More: Stay anonymous and safer online with the best VPN