Last week the internet buzzed with news about a data leak at Yandex.Food. The service later issued an official apology and confirmed that law enforcement became involved. Yandex.Food also announced strengthened personal data protections and gave users greater control over their information, including the ability to delete certain data themselves.
News of the incident spurred interest from enterprise groups offering to help organize class action lawsuits against the delivery platform. While the chatter is loud, it is premature to declare that there are clear grounds for a mass suit. A data breach does not automatically prove fault on the part of Yandex.Food. Still, the incident appears to have involved a theft of the database, and the company acknowledged the breach. In its statements, Yandex.Food said it reported the matter to law enforcement and conducted an audit aimed at identifying all the details of the case and determining whether a crime was committed by the company.
What matters now is whether the company took comprehensive steps to detect, deter, and prevent unauthorized access by insiders or external actors. Establishing whether the company acted properly hinges on whether appropriate cybersecurity measures were in place and whether there were lapses that could have enabled the breach. This type of assessment is central to determining potential administrative responsibility under the relevant codes.
Additionally, plaintiffs must show that the breaches caused them harm, whether material or moral. Proving this can be difficult, as it requires careful examination of each individual case. The situation is further complicated by reports that personal data from Yandex.Food may have been exposed not only in this service but also across other platforms. Since aggregators often receive data from multiple sources, there is uncertainty about how plaintiffs will establish a direct link to Yandex.Food and the precise origins of the data in question.
Class action efforts led by human rights groups and other organizations are inherently complex. In the early stages it is often challenging, and sometimes impossible, to gather enough evidence to demonstrate a violation by Yandex. Under existing civil procedure rules, certain organizations cannot file a class action on their own behalf if they do not themselves suffer data leakage, which adds another layer of complexity to these efforts.
To proceed with a claim, applicants typically must secure power of attorney from all participants who join the case. This can be a lengthy and costly process, especially in large-scale class actions. Regulatory bodies may also intervene. Authorities tasked with protecting victims could consider submitting the case to court, but it remains uncertain whether such steps will occur while the investigation continues.
Thus, premature conclusions are unwise. What is clear is that class action litigation tends to be protracted and does not always yield the expected results. In a different high-profile case, more than fifty consumers joined a lawsuit against a major firm, FemFatal. Despite rising public interest, the claim did not succeed in court. High-profile actions against large companies are sometimes used for publicity, and outcomes can remain unresolved for years.
Readers should note that perspectives on this matter vary, and the article reflects a particular viewpoint separate from editorial positions. The evolving nature of the case means developments could alter the assessment in the weeks ahead.