Zynga, the popular video game developer, has been hit with a class action lawsuit following a large customer data breach that occurred last fall. During the breach, information from over 170 million accounts within their customer database was accessed. The suit was filed by plaintiffs Joseph Martinez IV and Daniel Petro on behalf of the proposed class of Zynga account holders across the United States. The case will be heard by Judge Jacqueline Scott Corley of California’s Northern District Court.
Zynga, which is known for such games as Farmville and Words With Friends, is in their own words, “a leading developer of the world’s most popular social games that are played by millions of people around the world each day”. Zynga also claims to have “reasonable and appropriate security measures to help protect the security of your information both online and offline and to ensure that your data is treated securely…” However, the plaintiffs claim otherwise, stating that “Zynga knew it was vulnerable to such attacks. As early as 2012, in a Securities and Exchange Commission filing, Zynga reported prior hacking attacks and acknowledged that it “will continue to experience hacking attacks.” Zynga recognized that it was “a particularly attractive target for hackers,” because of its prominence in the social gaming industry.”
The plaintiffs emphasize that although Zynga provides “free” games, users end up paying by submitting thier name, email address, Facebook ID and password, and in some instances, financial information for purchases of games and in-game items. As a result of this data breach, customers have been the target of fraudulent conduct such as credit and identity theft, “credit stuffing,” and phishing scams.
This breach is especially concerning for a vulnerable population that was targeted by Zynga: children. While the games may be free to download, they are filled with opportunities to spend money to advance their position or to obtain special access or ‘power-ups’. According to the plaintiffs, Zynga encouraged children to spend money without parental permission to maximize revenues. They also claim that hackers put a higher value on children’s information since “children’s credit reports are clean, and minors do not check their credit reports or review monthly bills, which means thieves may not get caught for years or even decades.”
The plaintiffs argue that Zynga failed to adequately safeguard their customers’ personally identifiable information (PII). They also claim that Zynga, upon learning about the breach, did not sufficiently notify customers of the problem. Instead of sending emails to every registered user, Zynga posted a notice to their website which users would have to find on their own. Lastly, the plaintiffs suggest that Zynga knowingly deceived customers of the quality of their data security and their ability to protect confidential information.