iHeartRadio Breached By Hackers, Sparking Class Action Over Social Security Numbers & Other Data

iHeartMedia is facing a class-action lawsuit from subscribers after disclosing that several of its radio stations were hacked months ago, exposing Social Security numbers, financial information and other personal details.

The lawsuit came a week after the radio giant (iHeartMedia + Entertainment Inc.) warned customers in regulatory filings last week that “an unauthorized actor viewed and obtained files” at a “small number of our local stations” in December, potentially stealing SSNs, dates of birth, and credit card info.

iHeart said in the filings that it “immediately implemented our response protocols” to contain the hack, and is offering free credit monitoring to those affected. The company also said it had “strengthened its existing security measures” to “help prevent something like this from happening again.”

Those assurances were not enough for Cheryl Shields, a subscriber who filed a proposed class action against iHeart on Wednesday in New York federal court, seeking to represent customers nationwide whose data was compromised. In doing so, her attorneys blasted iHeart for waiting four months to warn subscribers that their data was at risk.

“As a result of this delayed response, plaintiff and class members had no idea for four months that their private information had been compromised, and that they were, and continue to be, at significant risk of identity theft and various other forms of personal, social, and financial harm,” Shield’s lawyers write. “The risk will remain for their respective lifetimes.”

The data exposed in the iHeart breach “represents a gold mine for data thieves,” the lawyers write, and there has been “no assurance offered by iHeart that all personal data or copies of data have been recovered or destroyed.”

In a statement to Billboard on Thursday, a spokesperson for iHeart confirmed that the company had “discovered and addressed an incident involving unusual activity on some systems at a small number of our local stations.”

“Upon detecting the activity, we took immediate steps to block it; triggered our incident response protocols; and launched an investigation with the assistance of a third-party cybersecurity firm. We also notified law enforcement,” the company said. “We have strengthened our security measures to prevent something like this from happening again and apologize for any concern or inconvenience this may cause.”

Such lawsuits are common following data breaches. After the credit-reporting company Equifax suffered a 2017 data breach that exposed the personal data of nearly 150 million Americans, the company agreed to pay $425 million to resolve nationwide class-action litigation filed by consumers.

The scale of the iHeart data breach is undoubtedly far smaller. The company did not disclose in regulatory filings how many total victims were involved nationwide, though a notification filed in Maine said only three subscribers in that state had been impacted. Disclosure forms were also filed in California and Massachusetts, as first reported The Record.

In technical legal terms, Wednesday’s lawsuit accused iHeart of negligence, arguing that the company had a legal duty to safeguard consumer’s data.

“As a national media and audio provider in possession of millions of customers’ private information, iHeart knew, or should have known, the importance of safeguarding the

Private Information entrusted to it by Plaintiff and Class Members and of the foreseeable consequences they would suffer if iHeart’s data security systems were breached,” Shields’ lawyers write. “Nevertheless, iHeart failed to take adequate cybersecurity measures to prevent the data breach.”