A class action lawsuit has been filed in Illinois against Eventbrite over the massive data breach at subsidiary TIcketfly earlier this year, according to multiple outlets. The lawsuit, filed by Shanice Kloss in Cook County, alleges negligence on the company’s part, both before and after the breach, which saw some 26 million users data exposed by a hacker.
News of the massive data breach came out in May, crippling the indie ticketing provider and numerous venues that used its system. Stolen data involved email addresses, names, phone numbers, and physical addresses. A hacker reportedly found a vulnerability in the company’s wordpress content system that it exploited to gain access. The individual attempted to ransom Ticketfly for the data before going public, but the company opted against paying the 1 Bitcoin (approx. $7,500) fee.
The plaintiff in the lawsuit says that despite the company being aware of the breach in the spring, and even making a public announcement, she was not aware of her data having been exposed until seeing a tweet about the breach in September – the company had never contacted her.
Eventbrite, the complaint reads “was storing sensitive information… it knew was of value to, and vulnerable to, cyber attackers.” But rather than protect that data, it employed “lax cybersecurity procedures” and then failed to mitigate the vulnerability even after being contacted by the hacker. Due to all of this, and the fact that she had not – as one of the 26 million+ users whose data was compromised – been notified by the company at all aside from stumbling across their June 6 tweet by happenstance – she was put in the path of “irreversible privacy harms.”
The lawsuit claims that Eventbrite has violated the Illinois Consumer Fraud and Deceptive Business Practices Act, as well as putting the company in breach of contract with its consumers, and acted negligently. Kloss and her legal team have asked for a trial by jury and requested appropriate relief, including statuatory, compensatory, and punitive damages. Additionally, the lawsuit seeks a court order forcing Eventbrite to provided identity fraud monitoring and mitigation services for the victims of the fraud
In the wake of the massive data breach, Eventbrite marched on with its planned IPO, going live in mid-September. After launching at $23 per share, the stock jumped to $36.50 after its first day, and has traded at as much as $40.25. In recent days, the stock has climbed back to earth, closing at $27.92 on Thursday.
The company has not issued any statement related to the lawsuit.