Jun 8, 2020 | Consumer Protection, Employment & Technology Archive
Malicious Code Designed To Scrape Credit Card Numbers And Other Personal Information May Have Been Present on Company’s E-Commerce Platform As Early As November 11, 2016
Kehoe Law Firm, P.C. is making consumers aware that Bombas LLC filed a “Notice of Data Breach” sample customer letter with the State of California Department of Justice, Office of the Attorney General, which stated, among other things, that Bombas, “. . . as part of a review of data security, . . . discovered that malicious code designed to scrape credit card numbers and other personal information may have been present as early as November 11, 2016 on [Bombas’] e-commerce platform.”
Further, the data breach notification stated that “[o]n May 20, 2020, [Bombas] received an investigative report, which could not rule out the possibility that the malicious code could have successfully scraped customer information. The report also confirmed that a new security feature, which was added to [Bombas’] e-commerce platform on February 16, 2017, prevented the malicious code from functioning after that date. Accordingly, there is a window from November 11, 2016 to February 16, 2017 during which customer information potentially could have been exposed.”
Bombas, according to the notification, “. . . believe[s] that the malicious code could have enabled the attacker to acquire certain personal information belonging to customers who entered their payment card information in [Bombas’] online checkout process during the relevant period. The affected information may have included [customer] name, address, and payment card data.” [Emphasis added.]
Have You Been Impacted by A Data Breach?
If so, please either contact Kehoe Law Firm, P.C., Michael Yarnoff, Esq., (215) 792-6676, Ext. 804, [email protected], complete the form on the right or e-mail [email protected] for a free, no-obligation case evaluation of your facts to determine whether your privacy rights have been violated and whether there is a basis for a data privacy class action.
Examples of the type of relief sought by data privacy class actions, include, but are not limited to, reimbursement of identity theft losses and of out-of-pocket costs paid by data breach victims for protective measures such as credit monitoring services, credit reports, and credit freezes; compensation for time spent responding to the breach; imposition of credit monitoring services and identity theft insurance, paid for by the defendant company; and improvements to the defendant company’s data security systems.
Data privacy class actions are brought on a contingent-fee basis; thus, plaintiffs and the class members do not pay out-of-pocket attorney’s fees or litigation costs. Subject to court approval, attorney’s fees and litigation costs are derived from the recovery obtained for the class.
Jun 4, 2020 | Consumer Protection, Employment & Technology Archive
In Settling FTC Allegations, HyperBeard, A Developer Of Apps Popular With Children, Agrees To Pay Fine And Delete Personal Information Allegedly Collected From Children Under 13
Kehoe Law Firm, P.C. is making consumers aware that on June 4, 2020, the FTC announced that a developer of apps that are popular with children has agreed to pay $150,000 and to delete personal information it illegally collected from children under 13 to settle Federal Trade Commission allegations.
In a complaint filed by the Department of Justice on behalf of the FTC, the FTC alleges that HyperBeard, Inc. violated the Children’s Online Privacy Protection Act Rule (“COPPA Rule”) by allowing third-party ad networks to collect personal information in the form of persistent identifiers to track users of the company’s child-directed apps, without notifying parents or obtaining verifiable parental consent. The ad networks used the identifiers to target ads to children using HyperBeard’s apps. The FTC complaint also names HyperBeard’s CEO, Alexander Kozachenko, and Managing Director, Antonio Uribe.
The COPPA Rule requires that child-directed websites, apps, and online services provide notice of their information practices and obtain parental consent prior to collecting personal information from children under 13, including the use of persistent identifiers for targeted advertising.
Many of the apps that HyperBeard offers are directed to children, including Axolochi, BunnyBuns, Chichens, Claberta, Clawbert, KleptoCats, KleptoCats 2, KleptoDogs, MonkeyNauts, and NomNoms, according to the FTC complaint. According to the FTC, the apps contain brightly colored, animated characters such as cats, dogs, bunnies, chicks, monkeys, and other cartoon characters, and are described in child-friendly terms like “super cute” and “silly.” For example, users of the KleptoCats apps send a cartoon cat out on a mission and the cat returns with surprises that users collect in a virtual room. The apps also allow users to pet, groom, feed, and dress their virtual cats.
Allegedly, according to the FTC, HyperBeard was aware that children were using its kids’ apps and promoted those same apps to children. From early 2017 through 2019, it promoted its apps on the kids’ entertainment website YayOMG. It also published children’s books and licensed other products, including stuffed animals and block construction sets, based on its apps’ characters.
As part of the proposed settlement, HyperBeard, Kozachenko, and Uribe are required to notify and obtain verifiable consent from parents for any child-directed app or website they offer that collects personal information from children under 13. They are also, according to the FTC, prohibited from using or benefitting from personal data they collected from children under 13 in violation of COPPA, and must destroy that data. The settlement includes a $4 million penalty, which will be suspended upon payment of $150,000 by HyperBeard due to its inability to pay the full amount. The full amount will be due if either the company or Kozachenko are found to have misrepresented their finances.
Source: Federal Trade Commission – FTC.gov
Jun 4, 2020 | Consumer Protection, Employment & Technology Archive
FTC Warns 35 Marketers To Stop Making Unsupported Claims That Their Products and Therapies Can Effectively Prevent Or Treat COVID-19
Kehoe Law Firm, P.C. is making consumers aware that on June 4, 2020, the Federal Trade Commission announced it has sent letters warning 35 more marketers nationwide to stop making unsubstantiated claims that their products and therapies can treat or prevent COVID-19, the disease caused by the novel coronavirus. This is the sixth set of warning letters the FTC has announced as part of its ongoing efforts to protect consumers from health-related COVID-19 scams. In all, the Commission has sent similar letters to more than 160 companies and individuals.
Most of the letters announced by the FTC target “treatments” offered in clinics or medical offices, including intravenous (“IV”) Vitamin C and D infusions, supposed stem cell therapy, and vitamin injections that may at first glance appear to be based in medicine or proven effective. However, currently, according to the FTC, there is no scientific evidence that these, or any, products or services can treat or cure COVID-19.
The following recipients of the FTC’s letters are grouped based on the type of therapy, product, or service they pitched as preventing or treating COVID-19:
Intravenous (IV) and Ozone Therapies, Immunity Boosting Injections
- Arizona Natural Medicine Physicians PLLC (Chandler, Arizona)
- Doll House MedSpa & Anti-Aging Clinic (San Antonio, Texas)
- Dr. Eric Nepute; Neptute Wellness Center (St. Louis, Missouri)
- East Valley Naturopathic Doctors (Mesa, Arizona)
- Enliven (Odessa, Texas)
- Gonino Center for Healing (Heath, Texas)
- Health Associates Medical Group (Sacramento, California)
- Innovation Compounding (Kennesaw, Georgia)
- Revival Hydration (San Francisco, California)
- Restore Med Clinic (Newport Beach, California)
- Sage Integrative Medicine Clinic (Edmonds, Washington)
- Tulsa Chiropractic Rehab (Tulsa, Oklahoma)
- Vero Clinics (Decatur, Illinois)
Stem Cell Treatments
Electromagnetic Field Blocking Patches
Essential Oils
- Cory’s SEOM (Special Essential Oil Mixes) (Escondido, California)
Homeopathic Treatments
Vitamins, Supplements, Silver, and Chinese Herbal Treatments
- Bixa Human (online only)
- Bodhi Glyphix (Wales Center, New York)
- Cho Acupuncture & Herbal Clinic (Norcross, Georgia)
- Dramov Naturopathic Medical Center (Tigard, Oregon)
- Dr. Don Colbert (Southlake, Texas)
- Evergreen Naturopathic (Spokane, Washington)
- GlyCop Co-op (Boise, Idaho)
- Hawaii Naturopathic Retreat (Hilo, Hawaii)
- Hot Springs Biofeedback (Texarkana, Texas)
- Kimbertouch Technologies (online only)
- Love Acupuncture & Wellness Group (Clackamas, Oregon)
- Natural Health 365 (Clermont, Florida)
- Organic Hawaii, LLC (Honolulu, Hawaii)
- Pure Prescriptions, Inc. (Carlsbad, California)
- The Feed (Boulder, Colorado)
- The Nutritional Healing Center of Ann Arbor (Ann Arbor, Michigan)
- Utopia Silver Supplements (Utopia, Texas)
In the letters, the FTC states that one or more of the efficacy claims made by the marketers are unsubstantiated, because they are not supported by scientific evidence, and therefore violate the FTC Act. The letters advise the recipients to immediately stop making all claims that their products can treat or cure COVID-19, and to notify the FTC within 48 hours about the specific actions they have taken to address the FTC’s concerns.
The FTC’s letters also note that if the false claims do not cease, the FTC may seek a federal court injunction and an order requiring money to be refunded to consumers. In April, the FTC announced its first case against a marketer of such products, Marc Ching, d/b/a Whole Leaf Organics.
Source: Federal Trade Commission – FTC.gov
Jun 2, 2020 | Consumer Protection, Employment & Technology Archive
Class Action Complaint Alleges Walmart Sent Unsolicited Telemarketing Text Messages
Kehoe Law Firm, P.C. is making consumers aware that on June 1, 2020 a class action lawsuit was filed against Walmart Inc. in United States District Court, Western District of Washington, for alleged violations of the Telephone Consumer Protection Act.
According to the complaint, Walmart, beginning on or about April 7, 2020, sent unsolicited text messages to the Plaintiff’s cell phone from 5-digit “short code” 851-66 to “promote[] Defendant’s pharmacy business and delivery services.”
The text messages Plaintiff received, according to the complaint, stated the following:
Do You Believe You Are a Victim of Illegal Robocalls, Text Messages, “Junk” Faxes or Telemarketing Sales Calls?
If you have received illegal robocalls, text messages, “junk” faxes or telemarketing sales calls, you may be able to recover at least $500 for each illegal call, text or fax you received and, possibly, as much as $1,500 for each illegal call, text message or facsimile that was made either willfully or knowingly in violation of the Telephone Consumer Protection Act.
To help evaluate your potential legal claims under the Telephone Consumer Protection Act, please complete KLF’s confidential Robocall Questionnaire or, if you prefer to speak with an attorney, please complete the form above on the right, e-mail [email protected] or contact Michael Yarnoff, Esq., [email protected], (215) 792-6676, Ext. 804, for a free, no-obligation evaluation of your potential legal rights.
Jun 2, 2020 | Consumer Protection, Employment & Technology Archive
Amtrak Reports Recent Incident Potentially Affecting Customer Personal Information
Kehoe Law Firm, P.C. is making consumers aware that Amtrak submitted a notice of data breach “Sample Consumer Notification Letter” to the State of California Department of Justice, Office of the Attorney General, regarding a data incident that potentially affected some personal information of Amtrak customers.
According to the notification letter, “[o]n the evening of April 16, 2020, Amtrak determined that an unknown third party gained unauthorized access to certain Amtrak Guest Rewards accounts.” Amtrak stated that it has “. . . determined that compromised usernames and passwords were used to access certain accounts and some personal information may have been viewed. No financial data, credit card information or Social Security numbers were compromised.”
Have You Been Impacted by A Data Breach?
If so, please either contact Kehoe Law Firm, P.C., Michael Yarnoff, Esq., (215) 792-6676, Ext. 804, [email protected], complete the form on the right or e-mail [email protected] for a free, no-obligation case evaluation of your facts to determine whether your privacy rights have been violated and whether there is a basis for a data privacy class action.
Examples of the type of relief sought by data privacy class actions, include, but are not limited to, reimbursement of identity theft losses and of out-of-pocket costs paid by data breach victims for protective measures such as credit monitoring services, credit reports, and credit freezes; compensation for time spent responding to the breach; imposition of credit monitoring services and identity theft insurance, paid for by the defendant company; and improvements to the defendant company’s data security systems.
Data privacy class actions are brought on a contingent-fee basis; thus, plaintiffs and the class members do not pay out-of-pocket attorney’s fees or litigation costs. Subject to court approval, attorney’s fees and litigation costs are derived from the recovery obtained for the class.
Jun 2, 2020 | Consumer Protection, Employment & Technology Archive
Minted Reports That Unauthorized Actors Obtained Personal Information From Its Database
Kehoe Law Firm, P.C. is making consumers aware that Minted, LLC submitted a breach notification to the State of California Department of Justice, Office of the Attorney General, which stated that Minted “became aware of a report that mentioned Minted as one of ten companies impacted by a potential cybersecurity incident.” Minted reported that its ” . . . investigation determined that, on May 6, 2020, unauthorized actors obtained information from [its] user account database.”
Minted’s “Notice of Data Security Incident” stated that the information involved included customer name and login credentials to one’s Minted account, consisting of e-mail address and password, as well as telephone number, billing address and shipping address(es), if a Minted customer provided the following information to the company. Minted advised that Minted customer passwords were not in plain text, but rather coded through the “hashing” and “salting” cryptographic process to make one’s password unreadable.
Minted’s breach notification stated that based on their investigation to date, they have no reason to believe that payment or credit card information, address book information, and photos or personalized information added to Minted designs were impacted by the data breach.
Gearbrain.com reported (“Invitation site Minted suffers a data breach”) that “. . . some customers had additional information taken, including birth dates, for less than one percent of customers, and others also had their telephone numbers, plus billing and shipping addressees involved [if] they had been provided to Minted, the email read.” Reportedly, the “[o]nline marketplace Minted, best known for its personalized cards and invitations, . . . knew of the attack, which happened on May 6, 2020, a week later on May 15th — but customers were only notified in the past few days.”
Additionally, according to Gearbrain.com, the reason
[w]hy Minted waited more than two weeks to alert some customers was not addressed both in emails and online. Instead, the company has offered to speak with its clients through a toll-free hotline set up in the U.S., Canada, the UK and Australia.
The company is also encouraging people to change their passwords — especially if they use the same one on other sites as well. Minted specifically is asked customers to not only create a new password, but one ‘…that is not easy to guess,’ the company wrote.
Minted customers who have been affected can also choose to run their passwords through an online password manager, use a free service such as Google’s Password Check to see if their passwords have been affected, or at least take the opportunity to run through some of the steps to help secure other areas of their digital life.
Have You Been Impacted by A Data Breach?
If so, please either contact Kehoe Law Firm, P.C., Michael Yarnoff, Esq., (215) 792-6676, Ext. 804, [email protected], complete the form on the right or e-mail [email protected] for a free, no-obligation case evaluation of your facts to determine whether your privacy rights have been violated and whether there is a basis for a data privacy class action.
Examples of the type of relief sought by data privacy class actions, include, but are not limited to, reimbursement of identity theft losses and of out-of-pocket costs paid by data breach victims for protective measures such as credit monitoring services, credit reports, and credit freezes; compensation for time spent responding to the breach; imposition of credit monitoring services and identity theft insurance, paid for by the defendant company; and improvements to the defendant company’s data security systems.
Data privacy class actions are brought on a contingent-fee basis; thus, plaintiffs and the class members do not pay out-of-pocket attorney’s fees or litigation costs. Subject to court approval, attorney’s fees and litigation costs are derived from the recovery obtained for the class.
