iHeartMedia is the target of a new class action lawsuit filed by a Tennessee listener claiming the company failed to properly protect the personal information of its users and waited months to disclose a significant cyberattack that occurred in the last week of 2024.
Filed on May 7 in the Southern District of New York, the suit accuses iHeart of negligence and violations of federal trade law, and seeks damages and reforms to the company’s data security practices.
The broadcaster filed public notice of the incident on April 30 and began notifying consumers the same day. iHeart disclosed that between December 24 and December 27, a cybersecurity breach allowed an unauthorized actor to access sensitive company files stored on systems at a limited number of its local stations.
On April 11, iHeart concluded that files involved in the breach contained sensitive personal information. The data potentially exposed includes names, Social Security numbers, tax IDs, driver’s licenses or state IDs, passport numbers, dates of birth, financial and payment card information, and health or health insurance details.
In its filing, iHeart says it launched an investigation immediately upon discovery, brought in a cybersecurity firm to assist, and notified law enforcement.
Yet Cheryl Shields, who says her personal data was stolen, claims that the four-month delay between the cyberattack and the public notice put those affected at even greater risk of identity theft and financial fraud. The lawsuit alleges that the company failed to follow basic cybersecurity best practices, waited too long to notify users, and offered only “limited credit monitoring” as a remedy for what the suit calls a lifelong risk of identity theft.
The 46-page complaint lays out a range of damages, including emotional distress, loss of privacy, and the value of consumers’ stolen personal information—data that’s now likely circulating on the dark web. It also argues that iHeart failed to take “reasonable and appropriate” steps to secure its network and detect the breach quickly.
Shields is seeking class certification on behalf of all US residents affected by the breach, monetary damages, and court-ordered reforms. Among the demands: lifetime credit monitoring, internal security audits, and significant upgrades to the company’s data protection protocols. The suit also seeks to prevent iHeart from collecting or retaining consumer information without stronger protections in place.
The case has been assigned to Judge John P. Cronan. No court date has been set.
