On July 27, 2022, Gelt Finance, Inc. reported a data breach with various state government entities after the company confirmed unauthorized access to its IT network. According to the Gelt, the breach resulted in the following data being accessible to the unauthorized party: names, email addresses, salted password hashes, driver’s license pictures, passport pictures, deposit and withdrawal history of user’s Gelt accounts, bank names, and copies of affected individuals’ bank statements of certain individuals being compromised. After confirming the breach and identifying all affected parties, on July 12, 2022, Gelt Finance began sending out data breach letters to all affected parties.
If you received a data breach notification, it is essential you understand what is at risk and what you can do about it. To learn more about how to protect yourself from becoming a victim of fraud or identity theft and what your legal options are in the wake of the Gelt Finance data breach, please see our recent piece on the topic here.
What We Know About the Gelt Finance Data Breach
The information about the Gelt Finance, Inc. data breach comes from two emails the company sent out to affected users in the wake of the incident, as well as from Gelt’s official filing with state government entities. In a July 12, 2022 email, Gelt explains that it recently detected unusual activity on one of its servers. In response, Gelt took the affected server offline, shifted operations to a backup server, and rotated all third-party API keys. The company also enlisted the help of outside cybersecurity professionals to investigate the incident in hopes of determining its cause and whether any user data was compromised as a result.
A few days later, on July 18, 2022, Gelt Finance sent out another email explaining that the company’s investigation “confirmed signs of unauthorized access to the infrastructure that was taken offline.” While Gelt has not uncovered any evidence that data was removed from its systems, it notes that the type of information included on the affected servers included user’s names, email addresses, salted password hashes, driver’s license pictures, passport pictures, Gelt account deposit and withdrawal history, bank names, and copies of bank statements used for account verification purposes.
On July 12, 2022, Gelt Finance sent out data breach letters to all individuals whose information was compromised as a result of the recent data security incident.
More Information About Gelt Finance, Inc.
Gelt Finance, Inc. is a high-yield savings product based on principles of decentralized finance (“DeFi”). Gelt allows users to withdraw money directly from their bank account and deposit it into their Gelt account, where it is converted to “digital dollars” or stablecoins. Gelt secures funds using a private key that only users have access to, meaning the product is non-custodial (even Gelt doesn’t have access to users’ credentials). Gelt was founded in 2021 and is based in San Francisco, California.
Could Gelt Be Financially Liable for Victim’s Damages?
Reports of the Gelt data breach are very recent, and the company is still in the process of conducting its own internal investigation. However, based on the emails sent to users, it appears as though the breach may have resulted in an unauthorized party gaining access to users’ financial information. If that is the case, those affected by the Gelt breach may be wondering if they have any legal recourse against the company.
Typically, any company that stores information belonging to consumers has a duty to protect the security of that information. While Gelt is built on the concept of decentralized finance, the company still accepts and stores a lot of information about its users. This triggers a duty on Gelt’s part to care for that data.
If Gelt was negligent in how it stored consumer data, the company may be liable for any harm victims suffered as a result of the breach. In the event that a user’s Gelt account gets drained by the hackers, the company indicates that it provides up to $100,000 in protection. However, given the type of information that may have been leaked, the most likely harm in this particular case is identity theft or some other type of fraud. At this point, it is too early to tell what led to the Gelt breach and if the company bears any responsibility. However, data breach lawyers are investigating the incident as well as what legal remedies victims of the breach may have against the company.