A “massive, months-long” data breach that allegedly exposed private customers’ information is the subject of a proposed class action lawsuit in B.C.
GoTo Technology Canada Ltd. and its U.S. parent company GoTo Technologies USA (GoTo), along with their subsidiary, LastPass Technologies, are named as the defendants in the proposed class action, which noted the companies first began notifying customers of a data breach in August 2022 and provided further information in November.
LastPass is software that stores users’ “personal, financial and commercial information” in a customer vault, according to the court filings, which name Karan Keswani, an information technology specialist and the owner of Your IT Team Co., as its title defendant.
GoTo reportedly informed customers on Dec. 22, 2022, that cybercriminals had accessed company names, end-user names, billing addresses, email addresses, telephone numbers, IP addresses customers accessed LastPass services from and “crucially” a backup of customer vault data.
GoTo also posted about the data breaches publicly on Jan. 23 of this year, stating: “Our investigation to date has determined that a threat actor exfiltrated encrypted backups from a third-party cloud storage service related to the following products: Central, Pro, join.me, Hamachi, and RemotelyAnywhere.”
The class action alleges LastPass “was not effective in protecting users’ private information,” didn’t have “appropriate measures to safeguard the sensitive private information” from hacks and cyberthreats, and didn’t adequately investigate the breach or communicate its scope.
The proposed class for the action includes all individuals and entities in Canada affected by the data breach.
The lawsuit is seeking damages for negligence, negligent misrepresentation and breach of contract.