This week, two class actions were filed in the U.S. District Court for the Eastern District of Pennsylvania against David’s Bridal based on two data breaches. The actions allege that David’s Bridal failed to protect the personal information of employees and customers.

In January 2024, David’s Bridal suffered a ransomware attack instigated by ransomware group LockBit. The complaint states that “[i]nstead of remedying its deficient cybersecurity practices following LockBit’s theft of [personal information, David’s Bridal] did nothing” and then suffered a second attack by a different ransomware group, WereWolves in February 2024. The affected information included names, addresses, identification documents, dates of birth, Social Security numbers, and financial account information.

The plaintiffs state that by providing their personal information to David’s Bridal, the company “promised to safeguard the sensitive, confidential data and only to use it for authorized and

legitimate purposes.” Additionally, the complaint alleges that David’s Bridal failed to adequately notify the affected individuals, which did not give them the “opportunity to mitigate harm” related to the breaches. The class actions were filed on behalf of current and former employees and customers. The causes of action are negligence, breach of implied contract, breach of fiduciary duty, and unjust enrichment. One of the plaintiffs also brought a cause of action under the California Consumer Privacy Act, which allows for a private right of action for a data breach. The plaintiffs are seeking compensatory, actual, and punitive damages, restitution, pre-and post-judgment interest, as well as attorneys’ fees and costs. Additionally, the plaintiffs ask that David’s Bridal be required to implement technical and administrative security controls