StockX data breach spurs lawsuit

StockX, a Detroit-based online marketplace for sneakers, is facing a lawsuit over a recent data breach that may have exposed personal customer information.

According to the class-action lawsuit filed Monday in U.S. District Court, the personal identifying information of a Kansas minor identified only as “I.C.” “was accessed, acquired, stolen and re-sold by hackers for the express purpose of misusing plaintiff’s data and causing further irreparable harm to plaintiff’s personal, financial, reputational and future well-being.”

A StockX representative declined to comment.

In a message to customers on its website this month, StockX said an investigation found “an unknown third party was able to gain access to certain customer data, including customer name, email address, shipping address, username, hashed passwords and purchase history," it said.  

StockX operates much like online auction site eBay, but authenticates the products bought and sold on its website — sneakers, streetwear, handbags and watches — in warehouses before shipping them to buyers. Prices rise and fall by demand and supply just like the stock market and the company takes a percentage of the sale price.

The company, which was co-founded in 2016 by Josh Luber and Dan Gilbert, founder and chairman of Quicken Loans Inc., said that customers' financial or payment information did not appear to be affected by the breach. Officials also reported StockX immediately updated its system's security, reset customer passwords and alerted them about the change as well as other measures.

The Kansas youth’s lawsuit alleges StockX was slow to alert users about a hack believed to have happened months earlier and the information stolen included usernames and passwords that are “highly valued amongst cyber thieves and criminals on the Dark Web.”

The teen’s personal information was confirmed as exposed through a data breach monitoring website, “Have I Been Pwned,” which reported more than 6.8 million accounts were stolen from StockX and “username and password combinations are now being distributed on underground hacker forums for as little as $2.15, which virtually guarantees that it will be widely distributed,” according to the court filing.

The lawsuit was brought on behalf of the youth and all other minors in the country whose data was compromised.

“Plaintiff and the class would never have provided their (personal identifying information) to StockX if StockX had disclosed that it lacked adequate security measures and data security practices, as was revealed by the media reports,” according to the suit. “Plaintiff and the class have been damaged in that plaintiff and the class spent time and will spend additional time in the future speaking with representatives, researching and monitoring accounts, researching and monitoring credit history, responding to identity theft incidents, purchasing identity protection, and suffering annoyance, interference, and inconvenience, as a result of the data breach.”

The suit lists multiple counts, including negligent misrepresentation, fraud, unjust enrichment and violation of state data breach statutes.

It seeks damages and a jury trial.

Staff writer Ian Thibodeau contributed.