Motion Filed to Centralize Data Breach Lawsuits Against Snowflake

A panel of federal judges is being asked to consolidate and centralize all data breach lawsuits filed against the cloud-based server company Snowflake, which is being blamed for massive cyber attacks that resulted in the release of data on hundreds of millions of customers of AT&T, Ticketmaster and a number of other companies

Earlier this month, AT&T announced a data breach affecting the phone records for nearly all of its 110 million cellular customers, including priviate information for all phone call and text message records received or sent by AT&T customers between May 1, 2022 and October 31, 2022, as well as on January 2, 2023.

That disclosure came on the heels of another massive AT&T data breach announced earlier this year, which involved a separate security failure that resulted in the release of social security numbers and other personal identifying information (PII) of more than 70 million customers, which the company was aware of for several years, but failed to immediately warn customers.

In the wake of those breaches, at least some of the problems have been blamed on Snowflake, Inc., a cloud-based server company that hosts and stores data from a number of companies. Snowflake stored not only the AT&T Wireless phone records that were hacked, but also was the storage company for Live Nation, which was the target of a TicketMaster data breach affecting at least half a billion customers.

While Snowflake has reportedly denied that the problems are due to cybersecurity failures on its end, it faces increasing scrutiny and has been named as a defendant in a growing number of data breach lawsuits in recent weeks, each raising similar allegations.

Given common questions of fact and law raised in class action lawsuits filed against Snowflake, Inc. over the data breach, plaintiff Emmanuel Chaidez filed a motion for transfer (PDF) with the U.S. Judicial Panel on Multidistrict Litigation on July 29, calling for all Snowflake data breach lawsuits to be consolidated in the U.S. District Court for the District of Montana for coordinated pretrial proceedings before one judge.

The motion refers to Snowflake as the “hub” of the data breach problems, with lawsuits against AT&T, Ticketmaster, and others affected by the breaches being the “spokes” radiating out from the cloud server’s cybersecurity failures. Chaidez’s motion indicates this is a key reason that is is necessary for the federal court system to establish consolidated proceedings for all pretrial litigation stemming from the Snowflake data breach.

“This is a typical ‘hub-and-spoke’ data breach that occurred in April 2024, expected to involve over one hundred “spokes” and impacting hundreds of millions of people,” Chaidez states in the motion. “The ‘hub’ at the center of the Data Breach is Defendant Snowflake, Inc., a publicly traded, Bozeman, Montana-based cloud computing software company with thousands of ‘spoke’ customers.”

Chaidez’s motion indicates there are currently 14 Snowflake data breach lawsuits filed against the cloud-server company, with almost all of them in the District of Montana, where Snowflake is headquartered. In addition, there are 48 related actions pending in 11 district courts nationwide, which are referred to as the “spoke” cases.

The U.S. JPML has already established a separate MDL for all AT&T data breach lawsuits, involving claims stemming from the 2021 security failures that exposed social security numbers and other personal identifying information, which does not appear to involve the Snowflake security failures.

Those claims are currently centralized before U.S. District Judge Ada Brown in the Northern District of Texas, and the size of that litigation is continuing to rapidly grow as millions of former customers are eligible to sign up for that AT&T data breach lawsuit. However, it is unclear whether the separate AT&T Wireless phone records data breach involving Snowflake will be consolidated as part of that same pretrial proceeding, or transferred to a different federal judge for coordinated discovery.

Snowflake and other interested parties have not yet filed responses to this latest motion to establish a broader data breach lawsuit MDL.