"The claims were all filed in Northern California, where Salesforce is headquartered, over the past five weeks and suggest that the SaaS CRM vendor fell short on security. The complaints, many of which aim for class action status, allege that the personal information of the complainants stolen in the attack is making them targets for identity theft. Salesforce has denied that the security breaches were a result of any shortcomings in its systems. In its public notices, the company has said that its platform was not compromised."
"For example, a suit led by Staci Johnson [PDF] accuses Salesforce of failing to properly secure her personally identifiable information (PII) in connection with a data breach in July 2025. The claim calls for Salesforce to "disclose the nature of the information that has been compromised and to adopt sufficient security practices and safeguards to prevent incidents... in the future." The claim says the breach was a "direct result" of Salesforce's "failure to implement adequate and reasonable cybersecurity procedures and protocols" necessary to protect individuals' PII. It says that victims of the attack "must now closely monitor their financial accounts and credit reports to guard against future identity theft and fraud" while some have "suffered numerous actual and concrete injuries as a direct result of the data breach." Johnson also seeks compensation and injunctive relief to improve Salesforce's system security."
Multiple lawsuits were filed in Northern California within five weeks alleging that Salesforce failed to secure customer data after a cyberattack. Plaintiffs, many seeking class action status, claim stolen personal information is increasing their risk of identity theft. Salesforce denies that its systems were compromised and asserts no platform breach. Investigations revealed attackers stole OAuth tokens from the third-party Salesloft Drift app from May through the summer, with Google Threat Intelligence Group confirming the attacks. One suit alleges direct failure to implement adequate cybersecurity, seeks disclosure of compromised data, compensation, and injunctive measures to improve protections.
Read at Theregister
Unable to calculate read time
Collection
[
|
...
]