Recently, the business lending company OnDeck announced that the company experienced a data breach after an unauthorized party gained access to the company’s computer network and transferred sensitive consumer data to a private cloud storage account. According to OnDeck, the breach resulted in the following data being compromised: names, Social Security numbers, tax ID numbers, driver’s license numbers, passport numbers, financial account/payment card account numbers, and medical or health insurance information being compromised. On June 2, 2022, OnDeck filed an official notice of the breach and sent out data breach letters to all affected parties.
If you received a data breach notification, it is essential you understand what is at risk and what you can do about it. To learn more about how to protect yourself from becoming a victim of fraud or identity theft and what your legal options are in the wake of the OnDeck data breach, please see our recent piece on the topic here.
What We Know About the OnDeck Data Breach
Based on the company’s statements made in its official filings with various state governments, OnDeck first learned of the data security incident on March 10, 2022, when the company detected suspicious activity across some of its computers. After this realization, the company shut down access to all affected devices, secured its network, and engaged in an investigation of the incident.
On March 13, 2022, OnDeck confirmed that an unauthorized party copied certain OnDeck data to a private cloud storage account. On March 17, 2022, OnDeck’s team of investigators gained control over this online storage account and recovered the data, and shut down access to the account. On May 17, 2022, OnDeck determined that a limited amount of personal information was contained in the online account, and therefore, was subject to unauthorized access.
Upon discovering that sensitive consumer data was accessible to an unauthorized party, OnDeck then reviewed the affected files to determine exactly what information was compromised. While the breached information varies depending on the individual, it may include your name, Social Security number, tax ID number, driver’s license number, passport number, financial account/payment card account number, and medical or health insurance information.
On June 2, 2022, OnDeck issued data breach letters to those people whose information was leaked as a result of the incident.
More Information About OnDeck
OnDeck is a global online lending company based in New York City, New York. The company caters to small and large businesses, providing a wide range of lending options, including term loans, lines of credit and SBA PPP loans. In total, OnDeck has provided more than $14 billion in funding to businesses across the world. OnDeck has more than 742 people working for the company and generates approximately $444 million in revenue each year.
Do Victims of a Data Breach Have a Legal Remedy Against Companies?
Yes, under the United States data breach laws, victims of a data breach who can prove that a company was negligent in how it maintained or secured their data may be able to pursue a class action data breach lawsuit against a company. Data breach lawsuits are most often based on the legal concept of negligence; however, it is important to understand that negligence doesn’t necessarily equate to a conscious disregard of a known risk.
Companies can be negligent in many different ways when it comes to protecting the safety and security of consumer data. Below are a few ways in which a company might be found to have been negligent in regard to its data security responsibilities:
A company fails to employ a useful data security system, or uses an outdated system;
A company inadvertently sends consumer information to an unauthorized party;
An employee fails to follow company procedures when dealing with consumer data;
An employee responds to a phishing attack, either by clicking on a link or giving sensitive consumer information to an unauthorized party.
Of course, these are just some of the ways companies can be negligent; there are many others. Importantly, just because a breach occurred does not necessarily mean that the company was negligent. However, a data breach is at least an indication that something went wrong and warrants further investigation. If evidence emerges that a company was negligent in the storage of consumer data or failed to maintain the necessary security protocols, the company may be liable through a data breach class action lawsuit.
Those consumers whose information was leaked in a data breach can learn more about their rights by reaching out to a data breach and consumer privacy lawyer.