Lessons from Minted’s 5 Million User Data Breach

Harry Rabinowitz 8/21/21 10:00 AM

Learn from Minted's Data Mistakes

A data breach is every business owner's nightmare. Failing to protect your customers’  data is a massive violation of trust for both owners and customers. More concretely, a data breach can have a disastrous impact on your long-term success and reputation.

According to a 2019 consumer report from Ping Identity, 81% of customers said they would stop engaging with a brand online following a data breach, with 25% saying they would stop interacting with said brand in any capacity. And in our current consumer environment, over 60% of consumers believe a company would not notify them if their personal data has been misused or compromised.

Minted Data Breach

Consumers have a reason to be skeptical. Look at what happened to Minted, an independent artist-focused ecommerce site specializing in stationary, fine art, and home décor. Following a data breach affecting five million of its customers, it bungled the fallout, and was sued by consumers citing violation of the California Consumer Privacy Act (CCPA). We’ll review how it all happened, and find lessons any business owner can learn from Minted’s big data breach. 

 

How Not to Handle a Data Breach

On May 6th of 2020, Minted was hacked by a group known as ShinyHunters, who gained access to the account information of about five million Minted users. Minted, however, only learned of this data breach nine days later on May 15th, through public reporting on the ShinyHunters group. Worse yet, Minted did not notify their customers of the breach until May 28th, almost two weeks after learning of the breach through public reporting.

Yikes.

For a period of time Minted even had a top banner linking to more information about the class action lawsuit as you can see above. 

The breach itself revealed the user's personal identifying information, including usernames, passwords, and email addresses.

For some users, the data breach extended to their telephone number and mailing address.

ShinyHunters bundled this massive data set and sold it online on the dark web for $2,500.

Takeaway: Have a plan for data breaches

There are tons of bad actors like ShinyHunters online. While it may be tempting to think that hackers don’t target smaller businesses, this is sadly false. According to a 2020 report from cybersecurity company BullGuard, 18.5% of small business owners suffered a cyber attack or data breach in 2019, despite 60% believing small businesses are unlikely cyber attack targets.

Just like an emergency plan for your household, your small business should have a plan in place for a potential data breach. A data breach plan should, among other things, be centered on communication: both internal and external. If a data breach does happen, your team, and your customers, should be some of the first people to know.

 

Minted Sued over CCPA and Negligence

A few weeks later, on June 11, 2020, a group of consumers affected by the Minted data breach filed a lawsuit, Atkinson et al v Minted, Inc., citing Minted in violation of the California Consumer Privacy Act (CCPA) through its failure to implement “reasonable security measures” within its business and around its user’s data. Essentially, the claim reasons that, if Minted followed the CCPA and had more thorough data security, the breach never would have happened.

Over a year later, in May of 2021, a judge in Northern California granted preliminary approval of the lawsuit, which seeks a five million dollar settlement fund, and would require Minted to implement a plethora of new data security measurements aligned with the CCPA.

The suit is getting a lot of attention, as the CCPA is rather new, and very few class action lawsuits citing the CCPA have been court approved.

Takeaway: Safeguard your business data

A major accusation in the lawsuit against Minted is their lack of “reasonable security measures.” And perhaps if Minted Inc. had more thorough security around their data, the breach would have never happened.

Regardless, there are tons of ways to better safeguard your business data against potential hackers. One of the easiest and most effective methods is utilizing strong passwords, dedicated security software, and virtual private networks (VPNs). All of these can dramatically reduce the chance of a malicious outsider getting access to your computer and business data. On the more advanced end, setting up intrusion detection systems (IDS) and intrusion prevention systems (IPS) can go a long way in detecting and preventing attempted hacks.

 

Privacy Policies and the Future

We don’t know how Atkinson et al v Minted, Inc. will shake out. The one thing we can say for sure is that data security and legal compliance are crucial for any business. As a small business ourselves, we know that this can be challenging for small businesses with limited resources. 

Takeaway: Make privacy a priority and stay up to date on compliance

But by utilizing a tool like Enzuzo, you can keep your small business up to date with all the latest security and privacy laws like the CCPA and General Data Protection Regulation (GDPR).

Keeping your ecommerce brand legally compliant is just a good business move, protecting you from legal actions like the ones that led to Atkinson et al v Minted, Inc. And a strong privacy policy can help boost your brand reputation and win the trust of consumers.

 

Take Steps to Secure Your Business Today

A data breach may seem like the end of the world, and while they shouldn’t be taken lightly, there are ways to prevent them from happening, and minimize their impact if they do. Educating yourself about data security, implementing powerful security tools, and creating a plan for if a data breach does happen are all necessary steps in defending yourself against potential hackers. Staying compliant with laws like the CCPA and GDPR can protect your business from lawsuits like the one facing Minted. 

Generate a Free Privacy Policy