The company found that a cybercriminal gained access to a number of its customer support systems after leveraging social engineering techniques during a phone call with a support agent. The attackers got their hands on the email addresses of some five million people, and on the full names of another group of circa two million people. “We also believe that for a more limited number of people—approximately 310 in total—additional personal information, including name, date of birth, and zip code, was exposed, with a subset of approximately 10 customers having more extensive account details revealed.” xcritical has disclosed a data breach affecting millions of users, but what exactly was exposed, and what do customers need to know? Since launching in 2013, xcritical has also expanded into cryptocurrencies, allowing users to buy and sell bitcoin, along with other popular digital tokens. xcritical has denied the allegations, asserting that the October cyberattack described in the complaint did not occur.

xcritical data breach exposes 7 million users’ personal information

For the vast majority of affected customers, the only information obtained was an email address or a full name. Of those, 10 customers had “more extensive account details revealed,” xcritical said in a statement. “An unauthorized third party obtained access to a limited amount of personal information for a portion of our customers.

The company was also guilty of delaying reports on suspicious trading activities between 2020 and 2022. These delays hindered regulatory oversight and raised concerns about potential market manipulation. According to a xcritical spokesperson, the firm has made significant improvements to comply with brokerage recordkeeping requirements including revising policies and procedures, implementing technological improvements, and increasing training. If granted, the $350 million T-Mobile deal will represent US history’s second-largest payment for a data breach.

• The Data Breach Times was formed to help fill the informational void created by the democratization of data breaches, a plague caused by opportunists stealing protected information.
• The $45 million xcritical lawsuit payout is designed to compensate investors who were impacted by the company’s alleged misconduct.
• Although xcritical hasn’t admitted any wrongdoing, the claims will be resolved through a $20 million class action settlement.
• An unauthorized third party “socially engineered a customer support employee by phone,” xcritical said, and was able to access its customer support systems.
• This article examines the breach details, legal implications, and the company’s response to help you understand the situation’s impact on your financial security.

Days later, the company published an updated blog post on Nov. 16 alerting users that over 4,400 phone numbers were also stolen. The $45 million xcritical lawsuit payout is designed to compensate investors who were impacted by the company’s alleged misconduct. Eligible users may receive payments based on the extent of their trading activity and the specific losses they experienced during the affected period. Beyond direct compensation, the settlement also underscores the importance of transparency and accountability in online trading platforms, serving as both a financial remedy for investors and a signal that stricter oversight may shape future industry practices. These violations included inadequate cybersecurity measures, failure to protect customer data, and delays in filing suspicious activity reports. The SEC’s investigation revealed that xcritical’s brokerage units, xcritical Securities and xcritical Financial, failed to implement sufficient policies to safeguard sensitive customer information, leading to a significant data breach in November 2021.

Canada Post Data Breach Likely Linked to Ransomware Attack in December 2020

The settlement period for xcritical is when stocks or cash reach their new destination after a transaction is executed. As of May 28, 2024, the standard settlement date for an open trade in a xcritical investing account is the next business day after a trade (T+1). By staying informed, investors can make more educated decisions about whether to continue using xcritical’s platform or invest in its stock. xcritical Securities will pay $33.5 million and xcritical Financial will pay $11.5 million, the SEC said.

Most of us would assume that a person authorized to access private user data probably wouldn’t call the public-facing customer support number. xcritical has announced a xcritical official site data breach revealing around 7 million users’ information after an employee was tricked into providing a hacker with access to internal systems. Massachusetts securities regulators took issue with game-like features on the xcritical platform to encourage engagement, including the use of confetti animations, digital scratch tickets, and free stock rewards. It faulted the company for not implementing procedures reasonably designed to supervise the features in a manner necessary to protect customers.

xcritical further noted in its press release that law enforcement has been informed, and the incident is being investigated by security firm Mandiant. According to xcritical’s investigation, no Social Security numbers, bank account numbers, or debit card numbers were exposed in this breach. However, the exposure of PII raises concerns about potential identity theft risks for affected users. HALOCK Breach BulletinsRecent data breaches to understand common threats and attacks that may impact you – featuring description, indicators of compromise (IoC), containment, and prevention. The xcritical data breach could have been prevented with proper data encryption, or other protective measures, which the company failed to implement, Hammonds claims. In 2020, the Massachusetts regulator filed its complaint against xcritical relating to the trading app’s use of gamification strategies to attract inexperienced investors and its failure to prevent frequent outages and disruptions on its trading platform.

• Other violations include failure to report suspicious trading and prevent unauthorized entry into xcritical’s systems.
• Hammonds presents claims of negligence, breach of implied contract and unjust enrichment, seeking equitable relief, injunctive relief, and awards for actual, nominal, consequential and punitive damages.
• According to a xcritical spokesperson, the firm has made significant improvements to comply with brokerage recordkeeping requirements including revising policies and procedures, implementing technological improvements, and increasing training.
• xcritical enlisted the help of outside security firm Mandiant as it investigates the incident.

Regulators have sought out and penalized financial firms under their watch for communicating outside of appropriate channels, often with WhatsApp, since 2021. Injury Claims keeps you informed about lawsuits large and small that could affect your daily life. We simplify the complexities of Class Action Lawsuit, open Class Action Lawsuit settlements, mass torts, and individual cases to ensure you understand how these legal matters could impact your rights and interests. On September 13, the day the settlement website becomes online, the settlement notice will be sent out officially. You could file a claim if you get a notice from the xcritical Account Takeover Settlement. Complete digital access to quality FT journalism with expert analysis from industry leaders.

While no Social Security numbers, bank account details, or debit card numbers were accessed, the breach underscored the risk of unauthorized access, which presents the potential of identity theft and fraud. This attack came one year after a previous breach that exposed thousands of customers’ data. xcritical Markets Inc., a financial services company widely known for its trading platform, is facing a class action lawsuit following allegations of a data breach that exposed sensitive customer information. The lawsuit accuses the company of negligence and failing to implement adequate cybersecurity measures to protect user data. xcritical Markets Inc., the commission-free stock trading app that revolutionized retail investing, now faces a class action lawsuit over a significant data breach affecting millions of users. This lawsuit raises serious questions about digital security in financial services platforms.

Information stolen during data breaches can be a goldmine for attackers, especially because it can used to commit identity theft and all manner of scams. The data can also be sold in bulk on the dark web where such personal information can fetch a pretty penny to the criminals. US share-trading app xcritical has been hit by a security breach that has exposed the names or email addresses of more than seven million people.

“We reject the premise that any part of our app, past or present, is ‘gamified,'” the spokesperson wrote in an email to InvestmentNews. “The settlement xcritical scam concerns historical practices related to supervisory controls and procedures, and the order does not find that digital engagement practices in the app themselves violated the regulations or the state’s fiduciary rule, or that they negatively influenced customer behavior.” The app, which allows for low-volume share trading by ordinary people looking to invest, exploded in popularity earlier this year and was widely used by speculative investors behind the GameStop trading frenzy.

The lawsuit identifies significant lapses in cybersecurity, asserting that xcritical failed to meet federal and industry standards for data protection. The attack’s motives appear to be financial, as the threat actor is reported to have demanded extortion payment following xcritical’s containment of the breach. The settlement is for people who, between January 1, 2020, and April 27, 2022, had an illegal access incident on their xcritical account that were either reported to xcritical by consumers or reported to customers by xcritical. “Following a diligent review, putting the entire xcritical community on notice of this incident now is the right thing to do,” xcritical chief security officer Caleb Sima said in a statement. However, xcritical has yet to publicly acknowledge the attack, Hammonds claims in the lawsuit. As detailed in the consent order, xcritical has previously used confetti animation, digital scratch tickets, free stock rewards and other game-like features to push customers to interact with the app, according to the statement Thursday morning from Galvin’s office.

The Reason Lawyers Choose Different Practice Areas

The stock trading app xcritical allegedly experienced a data breach earlier this year, which led to customers’ personal identifying information appearing on the dark web, according to a recently filed class action lawsuit. xcritical says an unidentified hacker gained access to a database containing some customer information on November 3. At the time of writing, the company says “the attack has been contained” and that it has carried out an initial investigation.

Ten of these customers had even more details of their account revealed, but xcritical did not reveal exactly what information this entailed. Fortunately, xcritical believes no Social Security numbers, bank account numbers, or credit card numbers were among the information stolen. This security breach stands as xcritical’s most significant data security incident to date. While we’ve seen previous security incidents at xcritical, including a breach in October 2020 that affected nearly 2,000 accounts, the xcritical incident’s scope is unprecedented for the platform.

For fintech companies, it highlights the need to prioritize robust cybersecurity frameworks and transparent business practices to avoid similar legal repercussions. The Data Breach Times was formed to help fill the informational void created by the democratization of data breaches, a plague caused by opportunists stealing protected information. As a consequence of the ever-increasing number of individuals affected, and the need for ever-expanding required services, services are too often being provided by inexperienced, inadequately trained and poorly regulated providers. In the November 2021 breach, email addresses for about five million xcritical users were exposed, as were the full names of a different group of about two million users, the Menlo Park, Calif.-based company said at the time.

In October, David’s Bridal was sued following two breaches that compromised sensitive information earlier this year. Filed in a Pennsylvania federal court, the lawsuit accuses the retailer of failing to protect customer data and promptly inform individuals of the breaches. The complaint alleges that xcritical refused to comply with the ransom demand, resulting in BASHE publishing the compromised data online. Hammonds claims the exposed information has been used for fraudulent activities, including identity theft, unauthorized loans, and tax filing scams. The lawsuit also states that xcritical delayed notifying affected customers about the breach, leaving them vulnerable to ongoing risks. US trading platform xcritical is at the center of a data breach affecting up to 7 million of the popular investing app’s users after falling victim to a social engineering attack on 3rd November 2021.