Cricket Data Breach Lawsuit Says Nearly All Customers Impacted by Massive Snowflake Cyberattack

A Cricket data breach lawsuit has been filed over a massive 2024 cyberattack that impacted the call and text records of roughly 10 million Cricket customers.

Defendant(s) Categories

New to ClassAction.org? Read our Newswire Disclaimer

Cricket Wireless faces a proposed class action lawsuit that alleges a massive cloud storage data breach earlier this year impacted the call and text records of “nearly all” Cricket customers, roughly 10 million people nationwide.

Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s free weekly newsletter here.

The 36-page Cricket data breach lawsuit shares that cybercriminals earlier this year targeted third-party cloud storage provider Snowflake, which stores massive amounts of customer data from major companies, including AT&T, Cricket, Ticketmaster, Advance Auto, and more.

On or around July 22, Cricket reportedly announced that customer data, including call and text message records from nearly every Cricket customer from May 1, 2022 to October 31, 2022, and January 2, 2023, was stolen from its workspace on a third-party cloud platform, which the suit alleges is Snowflake. Per the case, the defendant did not notify Cricket data breach victims until July 2024, despite learning of the incident in April.

The data breach lawsuit accuses Cricket Wireless of completely and utterly failing to protect customers’ personal information and/or ensure its third-party vendors safeguarded that data consistent with its privacy policy assurances. The lawsuit charges that the Cricket data breach was a direct result of the company’s failure to implement reasonable measures to guard against such a “foreseeable” attack.

“Upon information and belief, multi-factor authentication was not required to access the customer records that were exposed in the Data Breach,” the proposed class action alleges, noting that the compromised data also includes cell site ID numbers of “the most frequently used cell tower(s)” and the phone numbers with which Cricket customers have interacted most frequently.

According to the lawsuit, Cricket to date has provided no assurances that the data stolen in the hack, or copies of it, have been recovered or destroyed, or that the company has bolstered its data protection practices.

The suit specifies that the 2024 Cricket data breach occurred by way of a ransomware attack, whereby hackers use software to encrypt data on a compromised network, rendering the information unusable, and demand payment to restore the network.

The case contends that Cricket could have prevented the attack had it implemented the ISO 27017 information security framework used by many organizations that use cloud services. Per the suit, ISO 27017 recommends, among other security controls, the use of multi-factor authentication for cloud service customers.

Cricket data breach victims now and in the future face a significant risk of identity theft and fraud, the filing emphasizes.

“Consequently, Plaintiff and Class Members have spent, and will spend additional time in the future, on a variety of prudent actions to understand and mitigate the effects of the Data Breach,” the complaint reads.

The Cricket data breach notice states that, as of July 12, 2024, the company does not believe the stolen customer information is publicly available.

The Cricket data breach lawsuit looks to cover all United States residents who are/were Cricket Wireless customers from May 1, 2022 to October 31, 2022, and January 2, 2023, and whose personally identifiable information was accessed and acquired by an unauthorized party as a result of the data breach reported by Cricket.

Are you owed unclaimed settlement money? Check out our class action rebates page full of open class action settlements.