From Mega‑Breaches to the Dark Web: How Repeated Data Compromises Are Reshaping Data Breach Class Actions

Data breaches have become a common place in the digital era, and not surprisingly, data breach litigation has matured due to the increasing frequency and complexity of breaches. 

The rise in litigation is accompanied by regulatory actions and expansion into data scraping and privacy issues beyond hacking. Notably, data breaches surged by 72% in 2023 compared to 2022, with a dramatic 312% increase in victims in 2024 due to mega-breaches affecting entire supply chains. Defense spending on class actions reached a record $4.21 billion in 2024, accounting for 12.5% of corporate litigation budgets, with increased in-house counsel involvement. 

The Dark Web and Its Role in Data Breach Defense

The dark web is a subpart of the deep web, characterized by anonymity and a high prevalence of illegal content, including stolen data markets. Access requires specialized browsers like Tor, which anonymize user traffic through multiple encrypted relays, making tracking difficult. The dark web hosts over 65,000 “.onion” sites ranging from forums to illicit marketplaces.  While some use it for privacy and free speech, it is predominantly a hub for cybercriminal activities such as selling stolen financial information, weapons, and malware - often transacted using DeFI cryptocurrencies like Bitcoin and Monero to maintain anonymity. 

Data on the Dark Web from Prior Breaches

The dark web marketplace offers a variety of stolen goods including credit card numbers, login credentials, counterfeit money, and hacking services. Prices fluctuate with market conditions; for example, a cloned credit card with PIN costs between $25 and $35, while hacked social media accounts range from $1 to $60. Since 2021, prices for stolen data have generally decreased, reflecting market dynamics and the availability of multiply compromised data and data subjects. These marketplaces operate like legitimate e-commerce sites with ratings and customer service, though the anonymity complicates trust and quality control. 

Obtaining Dark Web Information for Litigation

While some tools allow scanning the dark web, high-stakes litigation benefits from forensic experts who provide attorney-work product-protected investigations. Expert testimony based on dark web data is increasingly admissible in courts to demonstrate whether breached data appeared on the dark web, aiding in standing and causation analyses. Courts, including the Ninth Circuit, have accepted such expert evidence to assist juries and the Courts. 

Judicial Treatment of Multiple-Compromised Data Subjects

Traceability and Article III Standing

To establish standing, plaintiffs must show injury “fairly traceable” to the defendant’s conduct. Multi-compromised data subjects face challenges proving traceability because their harms may stem from various breaches. Courts differ on whether traceability can be resolved at the pleading stage; some dismiss claims lacking plausible misuse linkage to the defendant’s breach, while others allow discovery. The presence of multiple breaches complicates causation, with courts distinguishing traceability from proximate cause but often requiring a direct causal connection between breach and harm. 

Damages and Risk of Future Harm

Data breach cases lack a single injury metric, complicating damage claims. Courts frequently reject claims based solely on out-of-pocket expenses, lost time, or the abstract market value of personal identifying information (PII).[1] Risk of future harm alone is generally insufficient for standing. The Second Circuit’s McMorris test requires: 

1. Targeted exposure of data, 

2. Actual misuse of data, and 

3. Sensitive nature of exposed data increasing identity theft risk.[2]

Multiple breaches may undermine proof of actual or future harm, although the “mosaic effect” theory—where data combined from multiple breaches creates identity theft risk—has limited success due to its speculative nature. 

Impact on Class Certification

Multiple prior breaches affect the suitability of class representatives, potentially undermining trustworthiness and typicality due to unique defenses related to prior breaches. Courts require that class representatives’ claims and defenses align with those of the class; unique defenses can disqualify representatives. Manageability issues arise when individual questions predominate, such as whether each class member experienced identity theft, traceability of harm, or reliance on defendant’s representations. These individualized inquiries often defeat predominance and superiority requirements for class certification. Additionally, multiply compromised data subjects raise standing questions for each class member, complicating certification further. 

Challenges for Injunctive Relief Classes

Certification under Rule 23(b)(2) requires a uniform injunction applicable to all class members. Multiply compromised data subjects face unprovable risks of identity theft that persist despite injunctions, as prior breaches and settlements have not eliminated the threat. Individualized assessments are necessary to determine entitlement to injunctive relief, and each class member must demonstrate actual and imminent injury. Thus, prior breaches undermine the commonality and irreparable injury requirements critical for injunctive relief class certification. 

Conclusion

In a counterintuitive development, as data breaches increase so do the complications in attaining class-wide relief.  There is a complex interplay between multiply compromised data subjects and data breach litigation. The dark web serves as a pivotal tool in defense strategies by providing evidence on prior data exposures. Evidence of prior breaches is then used to challenge both class certification and damages necessary for standing. 

Ultimately, the evolving landscape demands nuanced, data-centric evidence and analyses to address the challenges posed by repeated data compromises in class action litigation.

Click here for more information on Womble Bond Dickinson’s Digital Solutions team.