Weee's Data Breach Exposed Information of Over 1M Customers: Class Action

Security failures leading to a data breach at Asian-American grocery chain Weee allowed hackers to steal personal and financial data from Orange County, California, resident Helen Jia, alleges her Thursday class action (docket 3:23-cv-02314) in U.S. District Court for Northern California in San Francisco. The case specifically targets Chinese immigrants like Jia, it said.

A threat actor named “IntelBroker” began leaking the data of Weee’s customers on the “Breach,” a hacking and data breach forum, Feb. 6, said the complaint, allegedly affecting 1.1 million Weee customers, including Jia, who placed orders after July 12, 2021, the complaint said. Hackers continue to use the information they obtained as a result of Weee’s “inadequate security” and injure class members across the U.S., it said.

The defendant failed to uncover and disclose the extent of the breach and notify affected customers “in a timely manner,” the complaint said. The company also failed to take other “reasonable steps to clearly and conspicuously inform its customers of the nature and extent” of the breach, preventing them from protecting themselves, it said. Due to the breach, Jia and class members face an “immediate and substantial risk” of identity theft, identity fraud, fraudulent credit card activity, phishing and increased mailers marketing products and services, the complaint said.

Information stolen from Weee included personally identifiable information (PII) that’s “highly valued” among cyber thieves, said the complaint. It gave as an example Apple ID usernames and passwords, sold on average for $15.39 each on the Dark Web. Fraudsters stole $16.8 billion from U.S. consumers in 2017, including $5.1 billion stolen through bank account takeovers, it said.

Jia and class members have to regularly monitor their credit and financial accounts and store and dispose of their documents containing their PII since notification of the breach, said the complaint. Victims of identity theft suffer emotionally and physically, it said, citing feelings of distress, anxiety and fear, plus sleep disturbances, inability to concentrate and physical illnesses that affect their ability to work, the complaint said.

The FTC has issued numerous guides for business highlighting the importance of reasonable data security practices, but Weee didn’t comply with regulatory guidance or meet consumers’ expectations for data security, the complaint said. Despite understanding the consequences of inadequate data security, defendants failed to comply with industry-standard data security requirements, it said.

Causes of action in the 13-count suit include intrusion upon seclusion; right to privacy; violation of California’s Unfair Competition Law, Customer Records Act, Consumer Privacy Act and Information Practices Act; breach of confidentiality and contract; fraud; negligence; and unjust enrichment.

Jia seeks for herself and the class an order prohibiting Weee from engaging in wrongful and unlawful acts; an order requiring the company to delete, destroy and purge customers’ PII; an order requiring it to implement and maintain a comprehensive security program with regular checks and employee training; awards of compensatory, consequential, general, statutory and punitive damages; restitution and disgorgement; and attorneys’ fees and legal costs.