A class action lawsuit has been filed against iHeartMedia following a December cyberattack on its radio stations, which compromised listener data. Filed on Wednesday in New York’s Southern District Court by Tennessee resident Cheryl Shields, the lawsuit—reported by Bloomberg Law and obtained by Radio World—represents Shields and others affected, alleging iHeart’s negligence in securing sensitive data like Social Security numbers, financial account details, payment card numbers, and health insurance information.
The breach, occurring between Dec. 24–27, 2024, involved an “unauthorized actor” accessing files on systems at a “small number” of iHeart’s local stations. Shields’ legal team criticized the four-month delay in notifying affected listeners, with notifications sent on April 30, 2025, after iHeart’s investigation, aided by a third-party cybersecurity firm, concluded on April 11. The filing argues this delay left victims unaware their data was compromised, posing lifelong risks.
An iHeart spokesperson told Radio World the company acted swiftly to block unauthorized activity, engaged law enforcement, and enhanced security measures, apologizing for any inconvenience. They offered affected listeners two years of free Equifax credit and identity monitoring, advised obtaining credit reports, and set up a dedicated inquiry line.
Sead Fadilpašić, a cybersecurity expert from TechRadar, noted that the notification delay is not uncommon, as companies often wait for investigation results. However, he acknowledged the frustration, as delayed notifications can allow data misuse. While the EU’s GDPR mandates swift breach reporting, U.S. laws vary by state, with all 50 having their own notification requirements. No group has claimed responsibility for the attack, per TechRadar.
No comments:
Post a Comment