Security News > 2022 > September > Samsung sued for gobbling up too much personal info that miscreants then stole

The suit [PDF], filed this month in a federal district court in northern California seeking class-action status, alleges Samsung unnecessarily collects PII from its customers and, as demonstrated in the aforementioned July cyber-heist, fails to adequately protect the data it collects.

The theft of that customer data, which the suit claims includes personal records on more than half of Samsung's US user base, stemmed from a cyberattack against the Korean tech giant's American arm in February.

No reason to have all that PII. The suit may have been triggered by Samsung's pair of security snafus, though the core of the case focuses on the giant of unnecessarily requiring customers to register for online Samsung accounts and provide PII to unlock basic features of their devices.

The suit argues that collecting that data isn't necessary; instead Samsung snags it to "Increase its profits, gather information regarding its customers, and be able to track their customers and their behaviors."

Based on Samsung's marketing and data privacy policies, the suit said, customers have a reasonable expectation that even if they're handing over unnecessary data, Samsung is going to protect it.

The plaintiffs are expecting at least $5,000,000 in damages and costs, as well as requiring Samsung to submit to external audits and penetration tests, better train its employees to resist cyberattacks and social engineering, and requiring it to destroy data belonging to class members.

News URL

https://go.theregister.com/feed/www.theregister.com/2022/09/27/samsung_data_theft_lawsuit/