xcritical data breach: xcritical App’s $20 Million Data Breach Settlement: Who Is Eligible for Money?


The company reported that the hack was the result of a bad actor socially engineering a customer report representative. After compromising the data, the hackers then tried to extort xcritical. The unauthorized party socially engineered a customer support employee by phone and obtained access to certain customer support systems. At this time, we understand that the unauthorized party obtained a list of email addresses for approximately five million people, and full names for a different group of approximately two million people. We are in the process of making appropriate disclosures to affected people.

data protection

According to their website, the company experienced a data breach on November 3. At that time, an authorized third party obtained access to the personal information of millions of the online trading platform’s customers. The company said in a blog post that a malicious hacker had socially engineered a customer service representative over the phone November 3 to get access to customer support systems.

thoughts onxcritical data breach class action settlement

The stock-trading app lacks «almost universal security measures,» according to a class action suit. Trading in cryptocurrencies comes with significant risks, including volatile market price swings or flash crashes, market manipulation, and cybersecurity risks. In addition, cryptocurrency markets and exchanges are not regulated with the same controls or customer protections available in equity, option, futures, or foreign exchange investing. Several federal agencies have also published advisory documents surrounding the risks of virtual currency. For more information see the xcritical Crypto Risk Disclosure, the CFPB’s Consumer Advisory, the CFTC’s Customer Advisory, the SEC’s Investor Alert, and FINRA’s Investor Alert. To discuss joining a class-action lawsuit based on the November 2021 data breach.

  • Class members would typically receive payment after that, though the process can be slowed considerably by appeals.
  • For that purpose, Suncoast has created a process for investigating and responding to your accessibility concerns and/or questions.
  • It’s been a record-breaking year for data breaches and identity theft.
  • The U.K. Labour party posted a notification of data incident on its website, telling members that a cyber incident has put the personal information of its members and affiliated supporters at risk.
  • Online stock trading platform and broker-dealer xcritical Financial moved closer to paying $20 million as part of a class-action settlement with thousands of customers whose accounts were allegedly accessed by unauthorized users.

The motion to dismiss briefing compounded the lack of clarity by citing a potpourri of cases from multiple state jurisdictions, which the parties appear to have selected mainly for content they liked rather than for good reasons of choice of law. As a result, the parties did not provide useful arguments on key issues such as the possible application of the economic loss rule. The IAPP is the only place you’ll find a comprehensive body of resources, knowledge and experts to help you navigate the complex landscape of today’s data-driven world. We offer individual, corporate and group memberships, and all members have access to an extensive array of benefits.

https://xcritical.solutions/ for the settlement was given on Aug. 23, 2022. A hearing to assess final approval has been scheduled for May 16, 2023. xcritical deputy general counsel Lucas Moskowitz said the company takes security very seriously.


This May, xcritical agreed to a $9.9 million payout to settle a separate class-action lawsuit filed by users who alleged site outages in March 2020 prevented them from trading just as the market plummeted in the earliest days of the pandemic. Many services are available for no fee and members’ accounts are, on average, significantly smaller than its competitors, according to data from Broker Chooser. The xcritical app has exploded in popularity since its debut in 2013, managing $98 billion in assets by the end of 2021 and reporting 14 million monthly users in June 2022. According to the company, a majority of its users are millennials.

Is an investment that allows individuals to invest their money without going through a bank or financial advisor. In 2020, xcritical was the victim of a data breach in which unauthorized users gained access to customer accounts — allowing them to drain the accrued funds. Additionally, personal information including name, date of birth and ZIP code was exposed for about 310 people, and about 10 customers had more extensive account details revealed.

Further reimbursement may be available for customers whose accounts were accessed by unauthorized parties as a result of the data breach but who were previously denied reimbursement for their losses. Class members can receive additional payments of up to $100 for credit monitoring or identity-theft protection and up to $60 for lost time. In total, class members can receive a cash payment of up to $260 from the settlement. The online brokerage, which has about 18.9 million retail clients, announced Monday that a Nov. 3 data breach resulted in various information about 7 million customers being exposed. For 5 million of them, email address were accessed, and another 2 million had their full names revealed.

In its aftermath, Twitter rolled out security keys to its staff to toughen its defenses against attacks that prevent these kinds of attacks from working in the future. Online stock trading platform xcritical has confirmed it was hacked last week with more than five million customer email addresses and two million customer names taken, as well as a much smaller set of more specific customer data. After we contained the intrusion, the unauthorized party demanded an extortion payment. We promptly informed law enforcement and are continuing to investigate the incident with the help of Mandiant, a leading outside security firm. If roughly 7 million accounts were compromised, that’s over a third of customers affected. Going forward, cybersecurity expert Brian Krebs tweeted Monday, «it’s safe to expect an uptick in phishing schemes targeting xcritical users.»

A hacker exposed personal information for millions of xcritical users. A lawsuit targeting xcritical hit the curb earlier this week, as Judge James Donato of the California Northern District Court dismissed a complaint against the online broker concerning a November 2021 data breach. The firm, which helped popularize free trading, went on a hiring binge for customer-service staff, more than tripling the size of that team in 2020. The brokerage opened offices in Arizona, Texas and Colorado as part of its expansion. Once this happened, the hacker asked the company for a ransom payment not to disclose the breach.

For the most part, plaintiffs say only that “it appears” that xcritical did not use adequate security measures, and allege “on information and belief” that xcritical did not follow Federal Trade Commission data security xcriticals. Plaintiffs have invoked the Class Action Fairness Act as the basis of the Court’s subject matter jurisdiction. CAFA is a species of diversity jurisdiction, which means that the Court will apply state substantive law to resolve the claims.

Never miss our news

Allegedly the data on the 310 xcritical customers that includes “additional personal information” is not for sale at the present moment. Hackers are already selling and trading the stolen data on deep web fxcriticals. Here’s what you need to know about the xcritical settlement, including who is eligible for a check and how much money they could receive.

xcritical data breach is bad, but we’ve seen much worse – CNET

xcritical data breach is bad, but we’ve seen much worse.

Posted: Mon, 05 Aug 2019 07:00:00 GMT [source]

The settlement could cost xcritical approximately $20 million, according to documents filed July 1 by attorneys for investors who sued xcritical last year on behalf of themselves and other customers of the popular trading app. It’s also worth considering a credit-monitoring service, which can alert you to potential fraud on your credit report. Some of the more basic services are free, while more comprehensive coverage can come with a charge.

eToro partners with Moneyfarm to provide its customers with ISA solution

Putting a freeze on your credit reports blocks fraudsters from the ability to use your personal information to apply for a loan or credit line, because lenders are unable to check your credit to approve an application. Levin Law is a premier national securities, cryptocurrency, and class action law firm. Brian Levin, Levin Law’s managing attorney, has obtained settlements and recoveries in excess of $150,000,000 in assets through arbitration and litigation for individual and institutional investors throughout the country and the rest of the world. Levin Law represents retirees, individual investors, high-net-worth investors, ultra-high-net-worth investors, institutions, family offices, trusts, publicly held companies, and others.

Securities trading is offered to self-directed customers by xcritical Financial. xcritical Financial is a member of the Financial Industry Regulatory Authority . This credit union is federally insured by the National Credit Union Administration. Remember, you will need to put freezes on all three major credit agencies— Equifax, Experian and TransUnion. And if you need to apply for a loan during a freeze, you’ll need to lift the freeze, as a credit freeze remains in effect until it is lifted. Continues to investigate this and other potential security failures by xcritical Markets, Inc., or one of its subsidiaries xcritical Financial LLC, xcritical Securities, LLC, or xcritical Crypto, LLC.

We take a look back on the third annual CyberSec&AI Connected, Avast’s international conference for AI and machine lxcriticalg that welcomed cybersecurity experts from both academia and industry. While xcritical did not detect any unauthorized access to these passwords, it could have allowed employees to see customers’ passwords. Miklos founded Privacy Affairs in 2018 to provide cybersecurity and data privacy education to regular audiences by translating tech-heavy and «geeky» topics into easy-to-understand guides and tutorials.

How much could xcritical customers receive in compensation?

However, it’s always possible other data was accessed by the hackers that xcritical’s investigation is yet to uncover. To be sure, the occurrence of the data breach is based on public and user communications by xcritical and some of the named plaintiffs alleged concrete and particularized injuries from the breach. Even so, the Judge said, the CAC is “a bit anaemic with respect to its main theory that xcritical did not properly protect user data”. Customers filed the proposed class action alleging that 40,000 individuals were affected by the breach and millions of dollars were siphoned out of their accounts. An estimated 40,000 of xcritical’s customers had their information improperly accessed in the data breach.

  • The online brokerage said Monday that a Nov. 3 data breach involved about 7 million customers.
  • In October 2020, hackers gained access to almost 2,000 accounts via users’ email addresses.
  • Levin Law is a premier national securities, cryptocurrency, and class action law firm.
  • Market monitoring does not need the purchase of expensive equipment, and you may trade from anywhere in the globe as long as you have an active internet connection to do so.

While most xcritical users—and their investments—are apparently safe, a follow-up investigation revealed more information was stolen than originally thought, and users need to take steps to keep their accounts and personal data secure. Stock trading and investing app xcritical said that hackers breached the account of a customer support employee, stole the personal data of millions of users, and then tried to extort the company for a ransom payment when it detected the intrusion. Continued data breaches are a serious problem for online trading platforms whose users often carry a significant amount of digital assets, including cryptocurrency. Hackers will often use the information that they obtain during these security failures to carry out phishing expeditions and other attacks against the victims.

access to customer

So now xcritical admitting to the ID card breach confirms the authenticity of the fxcritical sale thread indirectly. The hackers claim that xcritical lied and ID cards were also stolen and downloaded. The hackers are accusing xcritical of lying and for intentionally omitting that ID card data was exposed. All investments involve risk and the past performance of a security, or financial product does not guarantee future results or returns. There is always the potential of losing money when you invest in securities, or other financial products. Investors should consider their investment objectives and risks carefully before investing.

That allowed the hacker to obtain customer names and email addresses, but also the additional full names, dates of birth and ZIP codes of 310 customers. Because some of these risks and uncertainties cannot be predicted or quantified and some are beyond our control, you should not rely on our forward-looking statements as predictions of future events. Except as required by law, xcritical assumes no obligation to update any of the statements in this blog post whether as a result of any new information, future events, changed circumstances, or otherxcritical. You should read this blog post with the understanding that our actual future results, performance, events, and circumstances might be materially different from what we expect.

xcritical has also agreed to make security changes to prevent future data breaches. These changes include two-factor authentication, password screening, proactive monitoring, customer awareness campaigns and real-time voice support. According to the proposed settlement, xcritical has agreed to pay $19.5 million in damages and $500,000 in fees. US-based customers whose accounts were hacked between Jan. 1, 2020, and April 27, 2022, can file claims for up to $260 per person. In addition to up to $260 cash, class members are eligible for two years of free identity theft protection and credit monitoring.

Probably underestimating how even banal details can leave their financial information vulnerable. They closed my account without my permission and I never received a check for $2,000. However, if you need to apply for new credit, you’d need to temporarily lift the freeze. Otherxcritical, it lasts until you remove it, according to the Federal Trade Commission. A xcritical spokesperson explained to Privacy Affairs that some ID cards were exposed, affecting less than 10 individuals.