eBay Seeks Dismissal of Breach Lawsuit

Company Spells Out Why It Believes Case Has No Merit
eBay Seeks Dismissal of Breach Lawsuit

eBay has filed a motion to dismiss a class action lawsuit filed against the company in July following a breach earlier this year that resulted in 145 million customers having their personal information compromised.

See Also: User Entity & Behavior Analytics 101: Strategies to Detect Unusual Security Behaviors

The plaintiff named in the case "does not allege that he has been injured by misuse of the stolen information," eBay says in its motion to dismiss the lawsuit, which was filed Sept. 30. "He does not allege that anyone has used his password, or that anyone has even tried to commit identity fraud with his information - let alone that anyone has actually succeeded in doing so - and that he has thereby suffered harm."

Instead, eBay argues, the plaintiff "relies on vague, speculative assertions of possible future injury - that maybe at some point in the future, he might be harmed."

In addition, eBay argues the plaintiff failed to state a claim upon which relief can be granted. eBay alleges the plaintiff has taken a "shotgun" approach to pleading his claims, "asserting no fewer than 10 causes of action, including one under a statute that does not provide a private right of action and another under a statute that was repealed before the complaint was filed."

Lawsuit Details

The lawsuit, filed on behalf of Collin Green and all customers of eBay, contends that the breach was the result of the company's "inadequate security" for protecting identity information of its millions of customers.

"eBay was aware of the value of the personal information it held, and threat to the security of that information long before the 2014 security breach," the lawsuit says, citing eBay's first quarter 2014 SEC filing, where the company acknowledged that security breaches were a constant threat.

The lawsuit asserts that e-Bay violated state privacy laws, the Gramm-Leach-Bliley Act and the Federal Stored Communications Act. It also alleges a violation of Louisiana R.S. 51:3072, which states that "expeditious notification of possible misuse of a person's personal information is imperative."

The suit doesn't specify instances of fraud or identity theft, but says class members "must be vigilant for many years in checking for fraud in their name, and be prepared to deal with the steep costs associated with identity fraud." It seeks compensatory damages, consequential damages, injunctive relief and costs of the suit, including attorneys' fees.

Breach Background

The breach, which eBay revealed in May, occurred between late February and early March. It began after a small number of employee log-in credentials were compromised, which allowed cyber-attackers to gain access to eBay's corporate network (see: eBay Sees Revenue Decline Due to Breach).

Compromised information included encrypted passwords, customer names, e-mail addresses, mailing addresses, phone numbers and dates of birth, according to the company. The exposed database did not contain financial information, eBay says. The company urged 145 million customers to reset their passwords.

About the Author

Jeffrey Roman

Jeffrey Roman

News Writer, ISMG

Roman is the former News Writer for Information Security Media Group. Having worked for multiple publications at The College of New Jersey, including the College's newspaper "The Signal" and alumni magazine, Roman has experience in journalism, copy editing and communications.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.