Data Breach Cases in Focus After Stellantis Confirms Hack Linked to Salesforce

by Matthew P. Suzor and Samuel Indermaur

What happened in the Stellantis data breach, and what consumer data may have been exposed?

A few weeks ago, Stellantis, one of the world’s largest automobile manufacturers, fell victim to a ShinyHunters data breach scheme. ShinyHunters, a criminal hacker and extortion group, is linked to numerous recent data breaches using voice phishing tactics against companies like Google, Cisco, Adidas, Workday, and now, Stellantis, in which over 18 million Salesforce records were reportedly compromised.

According to Stellantis representatives, the attackers only stole contact information from some of its North American customers’ data. They gained access to a third-party service provider’s platform to initiate the breach—the platform, however, was not used to store financial or otherwise “sensitive” personal information. Purportedly, only names, phone numbers, and email addresses were likely stolen. ShinyHunters, however, also claims they used stolen OAuth tokens for Salesloft’s Drift AI chat integration with Salesforce to steal sensitive information, such as passwords, AWS access keys, and Snowflake tokens, after gaining access to customers’ Salesforce instances.

Are Data Breach lawsuits increasingly common?

The instance at Stellantis is one of many widespread cybersecurity breaches as of late. Companies and regulatory bodies in the United States, United Kingdom, and European Union—including the National Labor Relations Board, Britain’s Tax Office, and LVMH—have all been recent targets of ransomware attacks. These large-scale threats have resulted in numerous lawsuits advocating for consumer protection and upgraded security of personal information.

Data breach lawsuits have rapidly increased in numbers for several reasons. First, as hackers become more adept and find new methods to circumvent security systems, more cases will naturally arise. Consumers’ growing privacy concerns also means heightened awareness of faulty security systems. With notable companies as frequent targets, households—which often have investments in or are customers of such companies—are primed for concern.

While existing case law is largely grounded in the assumption that hackers steal personal identifiable information (PII) for monetary gain, hackers are increasingly motivated by non-financial ends, such as blackmail, activism, and espionage, so relevant case law will need to adapt to an evolving piracy landscape.

What legal risks do companies face from data breach cases, including class actions and regulatory fines?

Companies hit by breaches like Stellantis face a complex web of legal exposure that spans private litigation, statutory damages, and regulatory fines. Federal and state laws both govern the repercussions of corporate data liability. One such state law is the California Consumer Privacy Act (CCPA), under which consumers are entitled to compensation if nonencrypted and nonredacted personal information—such as social security numbers, biometric data, and tax information—are compromised in a data breach. The CCPA authorizes consumers to allege that companies failed to implement “reasonable security practices” that would have prevented the breach. Following a 30-day window for the business to cure the CCPA violation, affected parties can sue for the amount of monetary damages suffered from the breach or for “statutory damages” of up to $750 per incident.

At the federal level, the Federal Trade Commission (FTC) also protects data breach victims of financial institutions under its Safeguards Rule, which requires covered financial institutions to create and maintain information security programs designed to safeguard customer information. According to the FTC, “customer information” means “any record containing nonpublic personal information about a customer of a financial institution, whether in paper, electronic, or other form, that is handled or maintained by or on behalf of you or your affiliates.” The regulation stipulates that the information security program must be commensurate to the size of the business.

The FTC can fine businesses as much as $100,000 per violation, with an additional $10,000 against officers and directors. They can also charge other penalties, including damages for consent violations up to $43,000 per day per violation. Injunctive relief is also considered in extreme cases.

How do whistleblower protections and False Claims Act claims intersect with cybersecurity failures?

In 1986, the False Claims Act (FCA), a federal law encouraging whistleblower action and protection that holds parties liable for defrauding the government, was amended to protect employees who reported fraud from retaliation. These protections were subsequently strengthened in 2009 and 2010. Modifications to Federal Acquisition Regulations (FARs) have raised cybersecurity standards for companies pursuing government contracts with compliance standards set forth in the National Institute of Standards and Technology (NIST) Special Publication 800-171. As a result, whistleblowers who speak out against their government-contractor employer’s inability to satisfy these compliance requirements may seek protection under the FCA.

In fact, a 2019 FCA claim against Cisco, in which the company reportedly sold faulty flawed technology to government agencies despite apparent security risks, was settled for $8.6 million. The whistleblower was fired for alerting the company of their oversight. Because of his protections, he is entitled to roughly 20% of the total settlement.

How does Miller Shah LLP’s work in consumer class actions and cybersecurity-related litigation align with the rise in data breach cases?

As cybersecurity threats become increasingly prevalent, it is crucial that customers and employees know the rights they have at their disposal. At Miller Shah LLP, we specialize in whistleblower matters. We represent both individual whistleblowers and groups of employees in class action lawsuits. If you have any questions about the FCA, please contact us.