Auction.com has been reported to be one of the latest California companies to fall prey to the Conti ransomware group, causing personal financial data and other identifying information maintained by Auction.com to be released on the dark web.
Auction.com has its headquarters in Irvine, California. According to the company’s website, it offers an online marketplace for buying and selling of distressed real estate holdings, including residential bank-owned property and those in foreclosure.
On May 16, 2022, we learned that the Conti group had announced a possible data breach of Auction.com’s computer systems, which purportedly took place on April 13, 2022.
Details are limited but, based on what was released on the Conti’s group’s leak page on the dark web, personal information may have been accessed and disclosed.
The group made 6.47 MB of data openly available on the dark web, representing it was a mere 1% of the Auction.com data the Conti group had taken. The Conti group has been linked to over 1,000 ransomware events.
This story will be updated as more details become available.
Companies such as Auction.com have been made warned for a year to be on the lookout for Conti group attacks where they maintain sensitive data. The FBI issued a Flash Alert about Conti ransomware attacks in May, 2021. On September 22, 2021, a Joint Cybersecurity Advisory disseminated details about what red flags indicate a business has been compromised by Conti ransomware, and how attacks can be avoided.
Businesses Should Be Held Accountable For Data Breaches
“With ransomware groups more active than ever, it is vital that companies stay abreast of the latest FBI advisories to avoid falling victim to these schemes and quickly recognize if they have been compromised,” explains April M. Strauss, senior California attorney and Certified Information Privacy Professional.
“Consumers who have trusted businesses with their sensitive financial and personal data deserve to have that data held securely, with the highest possible attention paid to preventing known threats.”
California Privacy Laws Protect You
When businesses decide to collect and keep personal data about California residents, under California law they take on the obligation to protect that information and keep it safe from ransomware groups like the Conti group, hackers, thieves, and other criminals. This personal data is incredibly valuable, both to businesses and to criminals who want to sell that information on the dark web to identity thieves and other black marketeers.
The stakes are high: Data breach victims are more likely to also be victims of additional fraud. As a result, “it is clear that many organizations need to sharpen their security skills, trainings, practices, and procedures to properly protect consumers.” K. Harris, former Attorney General, California DOJ, California Data Breach Report 2012-2015 (2016)
Several laws, including the California Consumer Privacy Act (CCPA), require businesses implement and maintain reasonable security when they collect and keep certain types of personal information. If that sensitive information is unencrypted and accessed, stolen, or hacked because a business failed to exercise reasonable security measures, an affected California resident can sue to protect their rights under the CCPA and other state laws.
If you are a California resident and your data has been compromised, the CCPA provides affected consumers may be entitled to between $100 and $750 or their actual damages, whichever is greater. Participants in data breach lawsuits can recover damages, injunctive relief (to make sure that the business has reasonable security practices to protect consumer data from being leaked again), and anything else the court concludes is necessary to compensate data breach victims and prevent these harms from reoccurring.