A San Francisco resident who says his personal data was stolen from Walmart by hackers is suing the company for allegedly violating California's new privacy law.
Walmart “failed to implement and maintain reasonable security procedures and practices,” Lavarious Gardiner alleges in a class-action complaint filed Friday in U.S. District Court for the Northern District of California.
A Walmart spokesperson says the company disputes the claims and plans to defend itself.
“We dispute the plaintiff’s allegations that the failure of our systems played any role in the public disclosure of his personally identifiable information,” the spokesperson says.
California's Consumer Privacy Act, which went into effect in January, has data security provisions that allow individuals to bring private lawsuits over certain data breaches. Gardiner's complaint contains other claims, including that Walmart was negligent, and that it violated a California consumer protection law.
He alleges that his personal information was available for sale on the dark web, and that he possesses “communications with the hackers in which they state that the accounts they are selling are real accounts that belong to Walmart customers.”
Gardiner adds that he believes his personal information “was accessed by hackers as a direct result of the data breach that took place at Walmart.”
The complaint doesn't specify when the alleged data breach occurred.
Gardiner's attorney, Thiago M. Coelho, tells MediaPost the alleged hack took place within the last few years. He adds that the data is still for sale, and that Walmart has not yet remedied alleged security vulnerabilities.
“The hackers obtain access to Walmart accounts by hacking Walmart’s website and Walmart’s customers’ computers, using vulnerabilities on Walmart’s website, and subsequently posting the stolen accounts on the dark web for sale,” the complaint alleges. “That Walmart has been successfully hacked is illustrated by the fact that the dark web is replete with stolen Walmart accounts for sale.”