Canadians could cash in on $4M class-action lawsuit against password manager
Eligible Canadians could receive money from a proposed settlement in a class-action lawsuit filed against password manager LastPass.
LastPass is a password manager that creates and stores secure passwords. On Nov. 3, KND Complex Litigation and Hammerco Lawyers LLP issued a notice to inform Canadians who may be eligible to receive money from the class-action lawsuit against the company.
On Feb. 8, 2023, a lawsuit was filed against LastPass in the Supreme Court of British Columbia due to a security breach that was first reported by the company in August 2022. The class action was brought forward by plaintiff Karan Keswani, who sought damages due to the data breach.
The allegations
lastpass.com
According to a court document, in 2022, LastPass was a victim of “an unknown threat actor” who used credentials stolen from a senior employee. They then accessed parts of the company’s cloud storage environment to take users’ information that was both encrypted and unencrypted.
At the time of the breach, there were 1,102,688 LastPass accounts for users in Canada; however, at least 218,087 are believed to have contained no user data.
The lawsuit alleges that the password manager didn’t have proper measures in place to safeguard and protect users’ private information from computer hacks and cyber threats. It further alleges that it failed to comply with its obligations under the privacy legislation, such as the Personal Information Protection and Electronic Documents Act and common law, to protect users’ information. It’s also alleged that the company didn’t investigate the breach appropriately or communicate the scope and impact of the breach.
LastPass denies any wrongdoing or unlawful conduct and “maintains that they have good and valid defences to the claims asserted against them.”
How much could you receive?
Elena_Alex_Ferns/Shutterstock
The lawsuit against LastPass seeks to recover compensation for damages and losses suffered by users, as well as the risk of harm to their property, finances, creditworthiness, reputation, and relationships due to the data breach.
Both the plaintiff and LastPass agreed on a proposed settlement of US$3 million (approximately, C$4.2 million). The settlement is not an admission of liability, and the settlement represents a compromise of disputed claims.
Once class counsel fees, expenses, honorariums, administration costs, and taxes have been deducted, the remaining settlement funds will be distributed to eligible class members.
According to the lawsuit, you could receive money if you’re a Canadian resident or citizen whose private information was accessed by unauthorized parties as a result of the data breach. Private information includes company names, end-user names, billing addresses, email addresses, phone numbers, IP addresses, and a backup of customer vault data.
The amount you receive depends on the following criteria:
- Crypto claims — if your crypto-assets were stolen as a result of the data breach. Compensation will depend on the amount stolen.
- Ordinary claims — eligible Canadians can get compensation due to “wasted time” as a result of the data breach. You can claim up to five hours at $34.01 per hour, or a total of $170.05. You can also submit a claim for out-of-pocket expenses due to the data breach of up to $500 if the expenses were incurred no later than May 31, 2023.
What’s next?
Currently, the proposed settlement is pending approval by the court, and a hearing will be held on Feb. 18, 2026. Information on the decision will be published online. The deadline to opt out is Dec. 3.
You can sign up online to receive updates on the LastPass class action proceedings.