Eddie Bauer LLC will have to pay up to $2.8 million to settle class claims based on a 2016 data breach that affected all of its American and Canadian stores, according to court filings in the Western District of Washington.
The settlement, which received final approval Oct. 25, will also require the clothing store chain to pay $2 million in attorneys’ fees and spend $5 million on cybersecurity enhancements.
In January 2016, hackers allegedly installed malware on Eddie Bauer’s computer system that infected all of its North American stores. The hackers allegedly stole payment card data and sold it to others who made fraudulent purchases with the cards.
Veridian Credit Union sued Eddie Bauer for violating Washington consumer protection and data breach notification laws in the U.S. District Court for the Western District of Washington in 2017. Veridian sought to represent other similarly situated financial institutions.
The cyberattack was “the foreseeable result of Eddie Bauer’s minimalistic data security measures—which were known within the company to be insufficient to protect against recognized threats—and refusal to implement industry-standard security measures because they cost too much,” Veridian said.
Tousley Brain Stephens PLLC, Scott & Scott Attorneys at Law LLP, Carlson Lynch LLP, Lockridge Grindal Nauen PLLP, Murray Law Firm, Zimmerman Reed LLP, and Chestnut Cambronne PA represented the class. Lewis Brisbois Bigaard & Smith LLP represented Eddie Bauer.
The case is Veridian Credit Union v. Eddie Bauer LLC, W.D. Wash., No. 2:17-cv-00356, 10/25/19.