A lawsuit has accused Samsung of failing to address a cyber-intrusion in early 2022, leading to the theft of US customers’ personally identifiable information (PII) in a second attack months later in July.

The suit [PDF], filed this month in a federal district court in northern California seeking class-action status, alleges Samsung unnecessarily collects PII from its customers and, as demonstrated in the aforementioned July cyber-heist, fails to adequately protect the data it collects. 

The theft of that customer data, which the suit claims includes personal records on more than half of Samsung’s US user base, stemmed from a cyberattack against the Korean tech giant’s American arm in February. In that instance, notorious cyber-extortion gang Lapsus$ stole and leaked nearly 200GB of internal documents and files from Sammy.

While no customer PII was included in the published materials, source code for, among other things, Samsung’s security management framework Knox, its bootloader, and online account creation and authentication was taken. The suit alleges Samsung’s failure to shore up its systems in the aftermath of that exfiltration led directly to an intrusion in July in which personal data was harvested from the chaebol’s servers by miscreants.

Samsung “was aware that the fraudsters and criminals who had access to the stolen source codes and authentication-related information (among other confidential data) could penetrate defendant’s weak systems,” the suit alleges.

Earlier this month, Samsung admitted its network was infiltrated weeks prior in July and data was stolen. We’ve asked the biz to comment, and haven’t heard back.

No reason to have all that PII

The suit may have been triggered by Samsung’s pair of security snafus, though the core of the case focuses on the giant of unnecessarily requiring customers to register for online Samsung accounts and provide PII to unlock basic features of their devices.

Whether it’s smartphones, watches, TVs, printers or other hardware, the suit alleges that drivers, updates, and other features essential to device operation are locked behind customer enrollment.

“Consumers are therefore forced to register accounts,” the suit says. It claims that Samsung collects data including names, dates of birth, addresses, geolocation data, emails, phone numbers, and device information. 

The suit argues that collecting that data isn’t necessary; instead Samsung snags it to “increase its profits, gather information regarding its customers, and be able to track their customers and their behaviors.” 

Based on Samsung’s marketing and data privacy policies, the suit said, customers have a reasonable expectation that even if they’re handing over unnecessary data, Samsung is going to protect it.

According to the court filing, customers “relied to their detriment on [Samsung’s] uniform representations and omissions regarding data security, including failure to alert customers that its security protections were inadequate, and that [Samsung] would forever store Plaintiffs’ and customers’ PII, failing to archive it, protect it, or at the very minimum warn consumers of the anticipated and foreseeable data breach.”

The suit alleges that Samsung violated multiple Michigan and California (where the two named plaintiffs reside) consumer protection and competition laws. In addition, the suit alleges that Samsung deceived customers by concealment, intentionally misrepresented its products, and breached expressed and implied warranties.

The plaintiffs are expecting at least $5,000,000 in damages and costs, as well as requiring Samsung to submit to external audits and penetration tests, better train its employees to resist cyberattacks and social engineering, and requiring it to destroy data belonging to class members. 

Samsung’s response to the complaint is due in two weeks on October 11. ®