CarGurus is facing several lawsuits in the United States following reports that a cyberattack linked to the hacking group ShinyHunters exposed the data of millions of users.
The legal actions come after reports that more than 12 million email addresses and related personal information may have been included in data taken from the online car marketplace.
What happened in the CarGurus breach?
The CarGurus data breach has been linked to the cybercriminal group ShinyHunters, which has been connected to a number of high-profile attacks in recent months.
Security researchers believe the group used vishing (voice phishing) techniques to gain access to systems. Vishing often involves impersonating IT staff and persuading employees to reveal login credentials or multi-factor authentication codes.
Once access to internal systems is obtained, attackers can extract large volumes of stored data.
Reports suggest the dataset taken from CarGurus may include:
- Names
- Email addresses
- Phone numbers
- Physical addresses
- IP addresses
- Finance pre-qualification data.
The exact scope of the breach is still being investigated.
What do the CarGurus lawsuits claim?
One of the first lawsuits (Infield v. CarGurus Inc) was filed in February 2026, with the claimant alleging that CarGurus failed to adequately protect customer data. According to court filings, the lawsuit argues that the company breached its duties under:
- Common law negligence
- Contract and quasi-contract obligations
- Industry data security standards
- The US Federal Trade Commission Act.
The claim alleges that CarGurus did not implement reasonable safeguards to protect personal data and failed to provide timely notification to individuals affected by the breach.
A separate class action lawsuit (Campbell v. CarGurus, Inc.) was filed on 6 March.
This claim alleges that negligent cybersecurity practices allowed attackers to access sensitive personal and financial information affecting around 12.4 million records.
The lawsuit includes claims relating to:
- Cybersecurity negligence
- Privacy violations
- Contract and quasi-contract breaches.
In short, the legal filings argue that companies collecting large volumes of personal data have a duty to maintain robust security systems.
The claimants allege that, in this instance, this did not happen. And as a result:
- Sensitive personal and financial data was stored without sufficient protection
- The breach exposed information belonging to millions of users
- Individuals were not notified quickly enough about the incident.
These claims will need to be tested in court.
At the time of writing, CarGurus has not publicly admitted liability in relation to the breach.
Why this matters
Large-scale data breaches can expose individuals to several types of risk.
Personal information obtained through cyberattacks may be used for:
- Phishing scams
- Identity fraud
- Financial scams
- Targeted social engineering attacks.
For many people, the consequences are not just financial. The distress and uncertainty caused by a data breach can also have a real impact.
What this could mean for UK users
The lawsuits currently underway have been filed in the United States. At present, we are not aware of any legal action relating to the CarGurus breach being brought in the UK.
However, data breaches affecting large online platforms can often lead to investigations or legal claims in multiple jurisdictions. If developments occur that could affect UK users — including regulatory action or potential group claims — we will share updates.
If you want to stay updated on any potential legal action with one of our partner law firms, you can register your interest with Join the Claim.
Join the Claim connects consumers with SRA-regulated lawyers. Visit the claim page to check your eligibility if a claim is open with one of our trusted legal partners. If a group action has not yet been launched, you can register your interest and we’ll keep you informed if a partner firm decides to take a claim forward.
