iHeartMedia faces class action lawsuit over delayed notification in December 2024 data breach

A class action lawsuit filed in the U.S. District Court for the Southern District of New York has brought American media conglomerate iHeartMedia under legal and public scrutiny following a cyberattack in December 2024 that compromised the personal information of an undisclosed number of individuals.

The suit, brought on behalf of Tennessee resident Cheryl Shields and similarly affected individuals, centers on allegations that the company failed to adequately secure sensitive data and unreasonably delayed notifying victims.

According to the legal complaint, hackers infiltrated iHeartMedia’s systems during the holiday period between December 24 and 27, 2024, exploiting a time of reduced staffing to gain unauthorized access to files stored at several local radio stations. The attackers reportedly obtained a wide range of sensitive information, including Social Security numbers, financial account details, and health insurance data.

The lawsuit contends that iHeartMedia did not conclude its investigation into the breach until April 11, 2025, and began notifying affected individuals only on April 30—more than four months after the breach occurred. This delay, the plaintiffs argue, left victims unaware and vulnerable to identity theft or other misuse of their data.

“As a result of this delayed response, the plaintiff had no idea for four months that their private information had been compromised,” the complaint states, further warning that the risks posed by the breach “will remain for their respective lifetimes.”

Attorneys representing Shields allege that the breach and its aftermath demonstrate a failure by iHeartMedia to meet basic security expectations. “Had iHeart properly monitored its networks, it would have discovered the breach sooner,” the lawsuit claims, asserting that the compromised information constitutes a “treasure trove for data thieves.”

In response, iHeartMedia said it activated its incident response protocols promptly upon discovering the breach and has since taken measures to reinforce its cybersecurity defenses. The company also noted that it is offering complimentary credit monitoring services to affected individuals as a precautionary measure.