A data breach exposing tens of millions of personal records is behind a class action lawsuit against Expedia.com, its affiliated vacation-booking websites, and the Amazon technology that makes it work.ย
California resident Lauren Schaubach, the named plaintiff, says the companies in charge failed to adequately protect customersโ information from a recent data breach and left it to the news media to properly inform them it happened.ย
The class action lawsuit centers around a widely reported data breach back in November involving Amazon Web Services technology and hotel-booking software, all tied to Expedia and Hotel.com services.ย
Website Planet, a digital firm specializing in network security, discovered that a โmisconfiguredโ cloud-based server, hosted by Amazon Web Services and used by one of Expediaโs partners, left sensitive personal information unprotected from hackers and other criminal elements.ย
The server, known as an โS3 bucket,โ held more than 180,000 records from August 2020 alone, according to Website Planet. Experts estimate at least 10 million credit cards, addresses, passport numbers, and driver licenses dating back as far as 2013 could be included, but itโs hard to say precisely how much โdue to the amount of data exposed.โ
ย An investigation showed one reservation record, for example, could hold personal identifying information for an entire family.
Schaubach argues Expedia and Amazon Web Services โfailed to maintain proper measures to detect hacking and intrusion,โ and violates California laws requiring such.ย
Citing Californiaโs Consumer Protection Act, Schaubach says these companies are legally obligated to follow standards preventing incidents like the data breach in November.
She claims the personal identifying information, which included granular data like the three digit security code on the back of the card, was not โstored or hashedโ in a way that complied with the Payment Card Industry Data Security Standard, specifically pointing out to an encrypted format used to store payment information.ย
The Payment Card Industry Data Security Standard, also known as PCI DSS, was adopted globally beginning in 2004 as a way to curb credit and debit card fraud.ย
Amazon Web Services, Expedia, and its partners โfailed to maintain proper measures to detect hacking and intrusion,โ she said. โThey have explicitly violated the CCPA [California Consumer Protection Act].โ
Furthermore, the companies have yet to inform the plaintiffs of the data breach, according to the class action lawsuit, who instead learned their private data was exposed from news reports.ย
Schaubach says she still hasnโt been notified officially from Expedia or Amazon Web Services about the data breach as of the date of her filing the class action lawsuit, Dec. 17.ย
These companies โshould have had breach detection protocols in place such that they could have alerted consumers significantly earlier,โ Schaubach said in the complaint, but instead they now โ face an imminent and ongoing risk of identity theft and similar cyber crimes.โ
Schaubach is seeking to form a Class of plaintiffs from California whose personal identifying information was exposed in the November data breach.ย
Formally the class action lawsuit accuses Hotels.com, Expedia, and Amazon Web Services of violating Californiaโs Consumer Protection Act, Unfair Business Practices Act, and negligenceย
Do you book vacations using any of these services? Have you been exposed in the related data breach? Let us know in the comments below.ย
Counsel representing the plaintiffs in this class action lawsuit is Todd Friedman of the Law Offices of Todd M. Friedman, PC.
The Data Breach Class Action Lawsuit is Schaubach, et al. v. Hotels.com LP, et al., Case No. 8:20-cv-02370, in the U.S. District Court for the Central District of California.
Read About More Class Action Lawsuits & Class Action Settlements:
696 thoughts onData Breach Exposes Expedia Customersโ Information, Prompts Class Action Lawsuit
Please add me into this
Add me.. used expedia for hotel bookings
Please add me to this.
Please add me to law suits
I used Expedia for two vacations between 2017 and 2020. Add me please.
Add me please.
Add me please. Used most of these.
I live in Ohio and am curious if Expediaโs data breech extended beyond the hotels.com usage. I have been a victim of consumer fraud this past year and is the first time this has ever happened to me. Locked all 3 of my credit bureaus when I realized what was going on but have yet to find out where and how this all started. First Iโve heard of the Expedia breech.
Please add me, I made travel between those dates.
add me please