Six days back, Digital Music News was first to report that “a number of e-commerce websites” operated by Warner Music Group (WMG) had suffered a major credit card hack. Now, the Big Three record label is facing a class-action lawsuit over the massive data breach.
Two individuals who purchased from Warner Music Group web stores between April 25th and August 5th, when hackers accessed customers’ personal information and credit card details, submitted the class-action complaint to a New York federal court. DMN obtained an exclusive copy of the corresponding filing, which accuses WMG of failing “to properly secure and safeguard personal identifiable information” and of failing “to provide timely, accurate, and adequate notice” of the months-long breach.
After introducing the plaintiffs’ claims and reiterating the size and scope of Warner Music, the lengthy suit outlines the hack’s basic circumstances. To briefly recap, WMG stated in a letter (distributed to those whose data may have been stolen) that “an unauthorized third party” compromised their web stores across a more than three-month stretch, possibly making off with all manner of personal and financial specifics.
It’s unclear exactly how many users were affected by the digital theft, but the legal text notes that “potentially millions of payment card transactions” were exposed to criminals. Warner is still working with law enforcement to track down the perpetrator(s).
However, the filing provides additional context to the hack, beyond the nuances disclosed in WMG’s aforementioned letter. The remote crime may have resulted from “malicious codes” entered into e-commerce stores by the responsible parties, which then collect payment and personal details inputted during the checkout process. In turn, the hack could have acquired the sensitive knowledge “without necessarily comprising the victim website’s network or server,” per the plaintiffs.
The complaint then describes the value that personal and financial particulars hold on the dark web, as well as the intentional delay that often separates the details’ theft and actual use.
Nevertheless, an unapproved charge of $197.90 was made on the first plaintiff’s payment card about one month after he placed an order through a WMG store; the second plaintiff’s payment card was charged in early August, but his bank flagged and blocked the expenditure.
Consequently, the plaintiffs characterize the year-long credit monitoring service Warner Music Group offered possible victims – and the lack of identity theft protection – as “inadequate.”
At the time of this writing, Warner Music Group hadn’t publicly responded to the class-action lawsuit.