A cyberattack suffered by iHeartMedia radio stations in December has resulted in a class action lawsuit against the media company filed by a listener who said they were affected.
The lawsuit was filed Wednesday in New York’s Southern District Court; a copy was obtained by Radio World. The plaintiff, Cheryl Shields, filed individually and on behalf of all persons whose data was similarly breached. Shields is a resident of Tennessee. The lawsuit was originally reported by Bloomberg Law.
Shields’ representation brings action for iHeart for its failure to secure and safeguard her sensitive data, seeking claims for negligence.
The filing notes the delay between when the breach occurred and when notifications were sent to affected listeners, which were sent out on April 30. The breach took place in December. That was a was a key grievance for Shields’ legal representation.
“As a result of this delayed response, the plaintiff had no idea for four months that their private information had been compromised,” the New York court filing said.
“The risk will remain for their respective lifetimes,” the filing added regarding those affected.
In a report iHeart filed to multiple states, following an investigation aided by a third-party cybersecurity firm, the company determined on April 11 that compromised files contained information such as Social Security numbers, financial account information, payment card numbers and health insurance information.
iHeart said they were stored on systems at a “small number” of its local stations.
Shields’ representation alleges that iHeart failed to properly implement security practices with regard to its network and systems that housed private information. “Had iHeart properly monitored its networks, it would have discovered the breach sooner,” the filing said. The filing also said that there has been no assurance offered by iHeart that data or copies of data have been secured or destroyed.
When reached by Radio World, an iHeartMedia spokesperson said that the company took immediate steps to block the unauthorized activity when it was discovered and proceeded to investigate with the assistance of a third-party cybersecurity firm. iHeart also notified law enforcement.
“We have strengthened our security measures to prevent something like this from happening again and apologize for any concern or inconvenience this may cause,” the spokesperson said.
Cybersecurity perspective
Sead Fadilpašić, a correspondent for Radio World’s sister publication, TechRadar, has reported on hundreds of data breaches. He said the time that elapsed between the attack and the notifications iHeart sent out is not unusual.
“I’ve seen companies report the breach after a year,” he told Radio World. Like iHeart, companies typically wait until an investigation is completed to notify victims. Whether or not individuals are even notified depends on whether personal data was exposed or not.
That said, he certainly understands why those affected would be upset. “By the time they are notified, the data can be used in attacks or identity theft numerous times,” Fadilpašić noted.
Some jurisdictions have clear laws on how fast a corporation must report a breach, such as in the European Union under GDPR regulations. In the U.S., there is no single federal law that governs notification of data breaches. All 50 states have enacted their own data breach notification laws.
Data breach timeline and scale
iHeart described the incident, which occurred between Dec. 24–27, as caused by an “unauthorized actor” who viewed and obtained files stored on systems at a “small number” of its local stations. Its spokesperson declined to comment on the number of stations involved in the breach.
The Record first reported that the company filed the data breach to Maine, Massachusetts and California. The letter that iHeart filed indicated listeners were also affected in Maryland and Rhode Island.
In Maine, three listeners were affected. Five New Hampshire residents were also affected, according to iHeart’s filing there.
No threat actor has taken responsibility for the data breach, according to Radio World sister publication TechRadar.
The data represents a “gold mine for data thieves,” the New York district court filing alleged.
In the notifications letters iHeart mailed to those who were affected, the company offered two years of complimentary access to Equifax’s credit and identity monitoring and advised the victims to obtain a copy of their credit reports and freeze them, if necessary. It also set up a dedicated phone number for people with inquiries.
iHeart describes itself as the largest audio company in the U.S., based on its 870 radio stations, the iHeartRadio digital service and its podcast publishing business.
