A new class action lawsuit filed in the U.S. District Court for the Northern District of Illinois alleges that Cleo Communications US, LLC and Sam’s Club failed to properly secure and safeguard sensitive personal information of customers and employees, leading to a significant data breach.
The complaint, filed by plaintiff S.P. on behalf of herself and others similarly situated, details how cybercriminals allegedly accessed and exfiltrated private information including full names, dates of birth, contact information, credit card information, driver’s license information, and Social Security numbers.
Breach details
According to the complaint, the Cl0p ransomware group added a Sam’s Club entry to its dark web leak site on March 28, 2025, in connection with “its attack spree based on the vulnerability in Cleo’s software.”
The complaint alleges that the defendants “did not use reasonable security procedures and practices appropriate to the nature of the sensitive information they were maintaining,” which resulted in exposure of unencrypted private information.
Cleo is described as a third-party vendor providing software services to clients including Sam’s Club, which is characterized as a “members-only food and non-food warehouse retailer” with “millions of members in the United States and Puerto Rico, and over 2.3 million current employees.”
Legal claims
The lawsuit includes four causes of action:
- Negligence
- Negligence per se
- Breach of implied contract (against Sam’s Club only)
- Unjust enrichment
Central to the negligence claims is the allegation that defendants failed to implement adequate cybersecurity measures and protocols necessary to protect consumers’ private information from “a foreseeable and preventable cyber-attack.”
The complaint cites recommendations from the FBI and Microsoft Threat Protection Intelligence Team that could have prevented the breach, including implementing awareness training programs, enabling strong spam filters, configuring firewalls, patching systems, and applying the principle of least privilege.
Vendor relationship implications
The lawsuit highlights the risks associated with vendor relationships and data handling. The complaint alleges that as a third-party vendor, Cleo collected and maintained personally identifiable information of Sam’s Club’s customers and employees.
This case serves as a reminder of the importance of vendor security due diligence, as the complaint states: “Defendants had obligations created by the FTC Act, contract, common law, and industry standards to keep Plaintiff’s and Class Members’ Private Information confidential and to protect it from unauthorized access and disclosure.”
Alleged damages
The complaint details numerous alleged injuries suffered by the plaintiff and class members, including:
- Invasion of privacy
- Theft of private information
- Lost or diminished value of private information
- Lost time mitigating the consequences of the breach
- Loss of benefit of the bargain
- Continued risk to private information
The lawsuit points to the particularly sensitive nature of the exposed data, noting that “Social Security numbers are among the worst kind of Private Information to have stolen because they may be put to a variety of fraudulent uses and are difficult for an individual to change.”
Preventability argument
A key theme throughout the complaint is the alleged preventability of the breach. The plaintiff argues that “Defendants could have prevented this Data Breach by, among other things, properly encrypting or otherwise protecting their equipment and computer files containing Private Information.”
The complaint cites the Federal Trade Commission’s guidelines for businesses, which recommend measures such as protecting personal consumer information, properly disposing of information no longer needed, encrypting stored information, understanding network vulnerabilities, and implementing policies to correct security problems.
Class allegations
The proposed nationwide class includes “all individuals residing in the United States whose Private Information was accessed and/or acquired by an unauthorized party as a result of the data breach reported by Sam’s Club in April 2025.”
The plaintiff argues that common questions of law and fact predominate, including whether defendants had a duty to protect private information, whether they failed to implement reasonable security procedures, and whether plaintiff and class members are entitled to damages.
Requested relief
The lawsuit seeks several forms of relief, including certification of the class, equitable relief to enjoin defendants from further wrongful conduct, injunctive relief requiring enhanced security measures, damages (including actual, nominal, consequential, and punitive), attorneys’ fees, and prejudgment interest.
The plaintiff has requested a jury trial. None of these claims have been tested in court.
For more information, see https://s3.documentcloud.org/documents/25908188/us-dis-ilnd-3-25cv50186-d169199601e306-complaint-filed-by-shoshannah-pass-jury-demand-fil.pdf
