On April 23, the U.S. District Court for the Northern District of Georgia dismissed a putative class action alleging that a cryptocurrency ATM operator failed to safeguard customers’ personal information in connection with a June 2024 data breach affecting approximately 26,000 individuals. The named plaintiff alleged that an unauthorized third party accessed names, phone numbers, driver’s license numbers, and other personal data, and that the operator did not begin notifying affected individuals until July 2025 — over a year after the breach. The complaint asserts common law tort and contract claims, as well as violations of the Georgia Uniform Deceptive Trade Practice Act. The plaintiff claimed that he and the proposed class faced a “significant risk of identity theft,” emotional distress, and costs from mitigation efforts.

The court granted the defendant’s motion to dismiss under Rule 12(b)(1), finding that the plaintiff failed to establish Article III standing because the complaint did not plausibly allege any actual misuse of the compromised data. Applying 11th Circuit precedent on standing in data breach cases, the court held that a plaintiff must typically allege specific evidence of misuse, such as data being posted for sale on a dark web marketplace or class members experiencing actual identity theft, to demonstrate an “injury in fact” sufficient to establish standing. The court found that the plaintiff’s allegations that the data was “upon information and belief” published on the dark web based on the “modus operandi of cybercriminals” were too speculative to satisfy this standard, and that his alternative standing theories based on mitigation efforts and emotional distress were “inextricably tied” to the failed risk-of-identity-theft theory. The complaint was dismissed without prejudice.