Security News Survey – March 29, 2019

This week, we look at the Supreme Court’s blow to the Zappos appeal, a Canadian cannabis company data breach, and the latest price tags of cybersecurity breaches.


We’re closing out another month with several major cybersecurity incidents in the books, as well as continued fallout from earlier data breaches and cyberattacks. Let’s take a look at some of the headlines we’ve been following.

U.S. Supreme Court allows class-action against Zappos to continue

This week, the Supreme Court rejected an appeal by Zappos to put an end to a class-action lawsuit seeking reparation for a 2012 data breach that compromised the personal information of 24 million customers. The Amazon-owned online shoe retailer attempted to halt the lawsuit, arguing that “virtually no identity theft or fraud” had resulted from the breach, but the Supreme Court is allowing the case to continue.

The decision strikes a blow to businesses who are following the lawsuit because they may be in a similar position as Zappos. Zappos and likewise-afflicted companies have been fervently pushing for the dismissal of class-action lawsuits on the basis that customers can’t prove substantial harm, but the Supreme Court’s decision to turn away Zappo’s appeal emboldens victim advocates, who argue that harm can come from a data breach at any time—even a few years later. This week’s decision is a victory for data breach victims in the U.S. and may impact lawsuits in progress or forthcoming where breach liability is at stake.

Canadian cannabis company patients exposed in data breach

Sunniva, a Canadian medical cannabis company, disclosed a data breach that took place at the end of 2018 and into the new year. According to the company, the medical record system of Natural Health Services (NHS), a Sunniva subsidiary, was compromised and potentially exposed the personal information of 34,000 patients. No financial information was compromised, but it appears the breach did expose personal contact and diagnostic information. NSH is currently working with authorities to investigate the origin and scope of the breach, including if any malicious activity has been conducted with the use of exposed data.

The rising cost of security breaches

The recent cyberattack on Norwegian aluminum manufacturer Norsk Hydro continued to make headlines this week as the company shared estimates of costs incurred thus far by the incident. Reading the news reminds us again of the price tag associated with security incidents, and we thought we’d do a quick snapshot of data breach and cybersecurity-related expenses that have been disclosed over the past few weeks.*

  • Wendy’s – $50 million: A class-action lawsuit against the restaurant chain reached a settlement of $50 million as compensation for a data breaches in 2015 and 2016. $27 million of the settlement is being paid out of pocket, the rest will be covered by insurance.
  • Norsk Hydro – $41 million: The aluminum giant was recently hit with a ransomware attack and had to shut down most of its operations. Current estimates put the cost of the attack at $41 million. The company’s operations are not completely restored yet, so we can expect this figure to rise.
  • Marriott – $28 million: The global hotel chain incurred $28 million in expenses following the November 2018 data breach. Thankfully for the company, insurance covered all but $3 million.
  • UCLA Health – $7.5 million: UCLA Health has settled a class-action lawsuit with victims of a data breach discovered in 2014 that compromised the personal information of 4.5 million patients. The settlement of $7.5 million allocates $2 million for patients and the remainder for new cybersecurity measures.
  • Sonic Corp. – $5 million: American Airlines Federal Credit Union has filed a $5 million lawsuit in an attempt to recover money lost due to Sonic’s 2017 data breach.
  • Community Health Systems – $3.1 million: Connecticut-based Community Health Systems reached a settlement in a class-action lawsuit following a 2014 data breach that also impacted 4.5 million patients. The payout is capped at $3.1 million, approximately a fifth of the company’s recorded revenue in 2017.

Needless to say, the costs of data breaches and cyberattacks are not insignificant. We’ll be keeping an eye out to see how these and other businesses continue to fare in regard to breach expenses and related lawsuits.

*All figures in U.S. dollars