International Trade Today is a Warren News publication.
Not a 'Passive' Breach

Dropbox Neglected to Protect Customer's PII in Data Breach, Say Class Actions

Online storage company Dropbox disregarded the rights of users by “intentionally” and “recklessly” failing to take adequate measures to protect their personally identifiable information (PII) and allowing it to be accessed in a data breach it purportedly discovered April 24, alleged a negligence class action Tuesday (docket 3:24-cv-02731) in U.S. District Court for Northern California.

Sign up for a free preview to unlock the rest of this article

If your job depends on informed compliance, you need International Trade Today. Delivered every business day and available any time online, only International Trade Today helps you stay current on the increasingly complex international trade regulatory environment.

While Dropbox claims to have discovered the breach April 24, it hasn’t informed victims when or for long the breach occurred and hasn’t notified victims directly that their PII was compromised, said the complaint. Plaintiff Shyrah Strickland, a North Carolina resident, received a notice dated Friday from FundThrough, informing her her information may have been exposed in the breach. FundThrough is an online financial services company that provides cash flow solutions for businesses.

Dropbox “acquired, collected and stored” Strickland's and class members' PII and failed to take “available steps to prevent an unauthorized disclosure" of their data, said the complaint. It also failed to follow "applicable, required and appropriate protocols, policies and procedures regarding the encryption of data, even for internal use,” alleged the complaint.

As a result, Strickland's and class members’ PII was compromised through disclosure “to an unknown and unauthorized third party -- an undoubtedly nefarious third party seeking to profit off this disclosure” by defrauding Dropbox users, said the complaint.

Since receiving notice of the breach, Strickland has spent time dealing with its consequences, including time spent verifying its legitimacy and impact, researching credit monitoring and identity theft insurance options, self-monitoring accounts and seeking legal counsel regarding options for remedying effects of the breach, the complaint said. Strickland suffered lost time, annoyance and inconvenience as a result of the incident and has “anxiety and increased concerns for the loss of privacy” and the impact of cybercriminals accessing, using and selling her PII, it said.

Strickland and class members suffered “imminent and impending injury arising from the substantially increased risk of fraud, identity theft and misuse” resulting from their PII “being placed in the hands of unauthorized third parties/criminals,” the complaint said. Despite the prevalence of data breach announcements, Dropbox “failed to take appropriate steps” to protect the plaintiff and class members’ PII from being compromised, it said.

In addition to negligence, Strickland alleges breach of implied and implied covenant of good faith and fair dealing and violation of the California Unfair Competition Law. She seeks awards of actual, nominal and consequential damages; orders enjoining Dropbox to cease unlawful activities and requiring it to encrypt all data collected through the course of business, delete and purge her and class members’ PII, and implement a comprehensive information security program, the complaint said. She also requests attorneys’ fees and costs and prejudgment interest.

The suit follows a negligence class action filed a week ago by Aquelia Walker, which cited a May 1 Dropbox blog saying that on April 24 the company became aware of “unauthorized access to the Dropbox Sign (formerly HelloSign) production environment.”

Upon further investigation, Dropbox learned a “threat actor” accessed the Dropbox Sign production environment and took customer information such as “email addresses, usernames, phone numbers and hashed passwords, in addition to general account settings and certain authentication information such as API Keys, OAuth tokens, and multi-factor authentication” information, said the post. The company “found no evidence of unauthorized access to the contents of customers’ accounts (i.e. their documents or agreements), or their payment information,” it said.

Dropbox Sign’s infrastructure “is largely separate from other Dropbox services,” said the blog, saying the company believes the incident “was isolated to Dropbox Sign infrastructure, and did not impact any other Dropbox products.” In response to the breach, Dropbox’s security team “reset users’ passwords, logged users out of any devices they had connected to Dropbox Sign, and is coordinating the rotation of all API keys and OAuth tokens,” it said. The post gave instructions for resetting passwords and other security measures.

Walker contrasted the Dropbox breach with others, saying, “This was not a passive data breach,” where it’s unclear whether the compromised data was targeted or even seen, said the Clovis, California, resident's May 2 complaint (docket (3:24-cv-02659) in U.S. District Court for Northern California. Instead, the data breach “occurred because Dropbox enabled an unauthorized third party to gain access to and obtain former and current Dropbox customers’ PII from its internal computer systems," it alleged. The breach was “a direct result of Dropbox’s failure to implement adequate and reasonable cybersecurity procedures and protocols, consistent with the industry standard, necessary to protect [PII] from the foreseeable threat of a cyberattack,” the complaint said.

In addition to negligence and breach of contract claims, Walker charges violation of the California Consumer Privacy and Consumer Legal Remedies acts and its Unfair Competition Law. She seeks orders requiring Dropbox to use appropriate methods and policies regarding consumer data collection, storage and safety “and to disclose with specificity the type of PII comprised” in the breach. In addition, she requests an order requiring the defendant to pay for credit monitoring services; awards of actual, compensatory, statutory and punitive damages; statutory penalties; attorneys’ fees and costs; and pre- and post-judgment interest.