Walmart has become the latest big-name brand accused of violating California’s new data breach regulations.
The retail giant is the subject of a new complaint alleging that customers now face “significant injuries and damage” after an unspecified incident.
Customer names, addresses, financial and other information were among the haul for attackers, according to the suit filed in the US District Court for the Northern District of California.
“As a result of defendants’ wrongful actions and inactions, customer information was stolen. Many customers of Walmart have had their PII compromised, have had their privacy rights violated, have been exposed to the risk of fraud and identify theft and have otherwise suffered damages,” the suit alleges.
“Further, despite the fact that the accounts are available for sale on the dark web, and Walmart’s website contains multiple severe vulnerabilities through which the data was obtained, Walmart has failed whatsoever to notify its customers that their data has been stolen.”
Although it’s unknown at present how many customers were affected by the incident, the filing claims that the number of class members is “at least in the thousands.”
If the maximum damages under the California Consumer Privacy Act (CCPA) are awarded, that means $750 per customer.
Walmart intends to defend the claims made against it.
“We dispute the plaintiff’s allegations that the failure of our systems played any role in the public disclosure of his personally identifiable information,” it said, according to Bloomberg.
Other tech firms also lined up for CCPA suits include Salesforce, controversial facial recognition firm Clearview AI and online marketplace Minted.
The new law came into force at the start of 2020, but enforcement began on July 1. It brings with it new GDPR-like powers for individuals to demand that companies don’t share their data with third parties, and that they reveal what information they hold on data subjects.
It also empowers customers to sue if they feel their privacy rights have been violated, even if they’ve not been the subject of a breach.