SEATTLE–Veridian Credit Union has filed a proposed class action lawsuit against retailer Eddie Bauer over a 2016 data breach.
The suit, filed in the United States District Court for the Western District of Washington in Seattle, alleges financial institutions have incurred costs as a result of Eddie Bauer’s failure to properly protect its customer’s financial information. In its suit, Veridian says that the security breach took place from on or around Jan. 2, 2016 to on or around July 17, 2016 and the names, credit and debit card numbers, card expiration dates, CVVs and other payment card data of customers at approximately 350 Eddie Bauer stores in the United States and Canada were exposed.
As a result, Veridian alleges in the suit, it and other financial institutions were forced take one or more of the following actions: cancel or reissue any credit and debit cards affected by the breach; close and/or open or reopen any deposit, transaction, checking, or other accounts affected by the breach; refund or credit any cardholder to cover the cost of any unauthorized transaction relating to the Eddie Bauer Data Breach; respond to a higher volume of cardholder complaints, confusion, and concern; increase fraud monitoring efforts; and/or other lost revenues as a result of the breach.
“The failure of Defendant to adequately secure its data networks was particularly inexcusable given the fact that the infiltration underlying the Eddie Bauer Data Breach involved mostly the same techniques as those used in major data breaches in the preceding months and years, including those at other major retailers like Target, Home Depot, and Kmart,” the lawsuit states. “Nevertheless, despite having knowledge that such data breaches were occurring throughout the retail industry, Defendant failed to properly protect sensitive payment card information.”
The suit goes on to further allege that the company failed to “upgrade security systems, and failed to comply with industry standards by allowing its computer and point of sale systems to be hacked causing financial institutions’ payment card and customer information to be stolen. Eddie Bauer’s data security deficiencies were so significant that hackers were able to install malware and remain undetected for months, until outside parties notified Eddie Bauer that its computer and point of sale systems may have been breached as a result of the identification of fraudulent transactions that had taken place after the hackers had used or sold customer data. Defendant also failed to mitigate the damage of a potential data breach by failing to implement chip-based card technology, otherwise known as EMV technology.”
The breach was further exacerbated, the suit alleges, by Eddie Bauer failing to notify customers of the infiltration for approximately six weeks after it learned of it.
The credit union is being represented by Tousley Brain Stephens, PLC.