These consolidated appeals arise from a breach of personal information maintained in a database of the defendant, the National Board of Examiners in Optometry, Inc. (the "NBEO"). Three optometrists, Rhonda L. Hutton, Tawny P. Kaeochinda, and Nicole Mizrahi (the "Plaintiffs"), as representatives of the putative class of victims, specify in two complaints that their personal information and that of the class members was stolen in the NBEO data breach. Hutton and Kaeochinda joined in the initial complaint-which underlies appeal No. 17-1506-that was filed in the District of Maryland in August 2016. It alleges five claims, including negligence, breach of contract, and breach of implied contract. See Hutton v. Nat'l Bd. of Exam'rs in Optometry, Inc. , No. 1:16-cv-3025 (D. Md. Aug. 30, 2016), ECF No. 1 (the "Hutton Complaint"). 1 The complaint of plaintiff Mizrahi-which underlies appeal No. 17-1508-was filed in that court in September 2016, and alleges claims of negligence, breach of contract, breach of implied contract, and unjust enrichment. See Mizrahi v. Nat'l Bd. of Exam'rs in Optometry, Inc. , No. 1:16-cv-3146 (D. Md. Sept. 13, 2016), ECF No. 1 (the "Mizrahi Complaint"). 2 All the claims arise from the NBEO's failure to adequately safeguard personal information of the Plaintiffs and the class members.

The district court dismissed the Complaints for lack of subject-matter jurisdiction, based on a failure to establish that the Plaintiffs possessed Article III standing to sue. It reasoned, inter alia, that the Complaints had not sufficiently alleged the necessary injury-in-fact and that, in any event, they failed to sufficiently allege that any injuries suffered by the Plaintiffs were fairly traceable to conduct of the NBEO. See Hutton v. Nat'l Bd. of Exam'rs in Optometry, Inc. , No. 1:16-cv-3025 (D. Md. Mar. 22, 2017), ECF No. 19 (the "Opinion"). The Plaintiffs have appealed the judgments of dismissal and the appeals have been consolidated. As explained below, we are satisfied that the Plaintiffs have standing to sue and therefore vacate and remand.

I.

A.

In July 2016, optometrists across the United States noticed that Chase Amazon Visa credit card accounts had been fraudulently opened in their names. See Hutton Compl. ¶ 2; see also Mizrahi Compl. ¶ 2. 3

The creation of those fraudulent accounts-which required the use of an applicant's correct social security number and date of birth-convinced several of the victims that data containing their personal information had been stolen. See Hutton Compl. ¶ 2; see also Mizrahi Compl. ¶ 21. The victims discussed the thefts among themselves in Facebook groups dedicated to optometrists, including, for example, a group called "ODs on Facebook." See Hutton Compl. ¶ 2; see also Mizrahi Compl. ¶ 2. The optometrists determined that the only common source amongst them and to which they had all given their personal information-including social security numbers, names, dates of birth, addresses, and credit card information-was the NBEO, where every graduating optometry student had to submit their personal information to sit for board-certifying exams. See Hutton Compl. ¶ 2; see also Mizrahi Compl. ¶ 3. Although the victim optometrists identified other possible sources for the data breach-for example, the American Optometric Association, the American Academy of Optometry, and the Association of Schools and Colleges of Optometry-those organizations had not collected or stored social security numbers, or they confirmed that their databases had never been breached. See Hutton Compl. ¶ 16; see also Mizrahi Compl. ¶ 23.

The NBEO soon became aware of the concerns and suspicions of the victim optometrists. On August 2, 2016, the NBEO released a statement on its Facebook page asserting that, "[a]fter a thorough investigation and extensive discussions with involved parties," the NBEO had determined that its "information systems [had] NOT been compromised." See Mizrahi Compl. ¶ 4, 25. Two days later, however, the NBEO revised that view, posting a second statement on Facebook asserting that it had decided to further "investigate whether personal data was stolen from [its] information systems to support the perpetrators' fraud on individuals and Chase." See Hutton Compl. ¶¶ 3, 17; see also Mizrahi Compl. ¶¶ 5, 26. Three weeks later, on August 25, 2016, the NBEO revised its earlier announcements "with a cryptic message stating its internal review was still ongoing and that it may take a number of additional weeks to complete." See Hutton Compl. ¶ 17. The NBEO also advised the victims to "remain vigilant in checking their credit." Id.

On August 30, 2016, Hutton and Kaeochinda initiated their civil action in the District of Maryland, pursuant to codified provisions of the Class Action Fairness Act. See 28 U.S.C. § 1332 (d)(2). Two weeks later, Mizrahi initiated her own civil action in the same court. Hutton, Kaeochinda, and Mizrahi alleged that their personal information, and that of the class members, had been compromised in a breach of the NBEO's database. The Plaintiffs-on behalf of themselves and the putative class-sought damages, restitution, and injunctive relief. See Hutton Compl. ¶ 4; see also Mizrahi Compl. ¶ 8.

Hutton, a resident of Kansas, had submitted her personal information to the NBEO in 1998 when she registered to take a professional optometry licensure examination. Eighteen years later, on August 5, 2016, Hutton received by mail a Chase Amazon Visa credit card for which she had not applied. See Hutton Compl. ¶ 5. Although "Hutton" was her married name in 2016, the Chase credit card account was opened in her maiden name, which she had used in 1998 in registering with the NBEO. Id. Hutton alleges that, as a result of her personal information being compromised, she faces an increased risk of identity theft and fraud. Id. Hutton also alleges that she has spent "time and money putting credit freezes in place with the credit reporting agencies Experian, TransUnion, and Equifax." Id.

Kaeochinda, Hutton's co-plaintiff, is a resident of California. She submitted her personal information to the NBEO between 2006 and 2008-under an earlier married name-in connection with an optometry licensure examination. See Hutton Compl. ¶ 6. On August 1, 2016, Kaeochinda learned that someone had fraudulently applied for a Chase Amazon Visa credit card account using, among other personal information, her earlier married name. Id. Like Hutton, Kaeochinda alleges that she faces an imminent threat of future harm from identity theft and fraud. Id. Kaeochinda also maintains that she has spent time and money putting credit freezes in place, and by "filing reports with the FTC, FBI, IRS, and her local police department." Id.

Plaintiff Mizrahi alleges that, after learning of the NBEO data breach, she began monitoring her credit score and alerted the credit reporting agency TransUnion to the potential fraudulent use of her personal information. See Mizrahi Compl. ¶ 32. Mizrahi also alleges that, on about August 27, 2016, a credit monitoring service advised her that her credit score had fallen by eleven points due to a credit card application filed under her name just one day earlier. Id. On about September 2, 2016, Mizrahi received a letter from Chase bank advising her of steps to be taken to protect her personal information that may have been compromised, but not specifically stating that any such compromise had occurred. Id. at ¶ 33 . When Mizrahi contacted Chase about the letter, a bank representative advised her that a credit card application had been submitted on August 26, 2016, seeking to open a Chase Amazon Visa credit card. The application had used Mizrahi's address, social security number, and her mother's maiden name. Id . at ¶ 34. The Mizrahi Complaint alleges that the Chase bank representative informed Mizrahi that the decrease in her credit score was only temporary, but could not be reversed for approximately sixty days. Id. Mizrahi alleges that she thereafter needed to "send certified letters to Chase, the major credit reporting companies, and others to inform them of this unauthorized event." Id. at ¶ 35 . Sending the letters first required Mizrahi to engage in the "laborious process" of "acquiring the necessary documentation, including a police report." Id.

B.

On October 22, 2016, the NBEO moved in the district court to dismiss both Complaints. The motion sought relief pursuant to Federal Rule of Civil Procedure 12(b)(1), for lack of Article III standing to sue, and under Rule 12(b)(6), for failure to state a claim upon which relief can be granted. On November 2, 2016, the NBEO moved to consolidate the two civil actions. By its Opinion of March 22, 2017, the court dismissed both Complaints pursuant to Rule 12(b)(1), ruling that it did not possess subject-matter jurisdiction due to the Plaintiffs' lack of standing. The Opinion then concluded that the other grounds for dismissal, as well as the motions to consolidate, were moot. See Op. 2. 4 In dismissing for lack of standing, the court relied primarily on our decision in Beck v. McDonald . See 848 F.3d 262 (4th Cir. 2017).

As the Opinion properly recognized, in order to possess standing to sue under Article III of the Constitution, the Plaintiffs were obliged to sufficiently allege three elements: (1) they suffered an injury-in-fact that was concrete and particularized and either actual or imminent; (2) there was a causal connection between the injury and the defendant's conduct (i.e. traceability); and (3) the injury was likely to be redressable by a favorable judicial decision. See Lujan v. Defenders of Wildlife , 504 U.S. 555 , 560-61, 112 S.Ct. 2130 , 119 L.Ed.2d 351 (1992). 5 The Opinion addressed two of those elements, the injury-in-fact element and the traceability element. It first concluded that the Plaintiffs had failed to sufficiently allege that they suffered an injury-in-fact because, even if the NBEO had confirmed an actual data breach, the Plaintiffs had "incurred no fraudulent charges" and "had not been denied credit or been required to pay a higher interest rate for credit they received." See Op. 8. The district court reasoned that the Complaints simply alleged speculative harms that could only occur in the future. Id. Relying on Beck , the Opinion emphasized that the Plaintiffs had "failed to establish standing either upon their asserted increased risk of identity theft or upon their expenses to negate identity theft." Id .

Second, the Opinion explained that any alleged injury of the Plaintiffs was not traceable to the NBEO, emphasizing that, "in all of the cases that have been cited by the parties in the instant cases, an actual data breach had occurred and had been acknowledged or announced by the entity whose data files had been breached." See Op. 7. Elaborating, the Opinion explained that the allegations in the Complaints "relied upon ... online conversations with other optometrists to conclude that NBEO suffered a data breach." Id. The Opinion then determined that the allegations in the Complaints "rest[ed] upon sheer speculation." Id. It recited that the Plaintiffs' "speculation is mistakenly fueled by NBEO's announcements that it was looking into whether an intrusion occurred and that it denies such in fact happened." Id. In comparing the NBEO's statements denying the data breach to the denials of the other professional optometry organizations, the district court reasoned that the "Plaintiffs do not explain why NBEO's denial of a data breach is less credible." Id. Consequently, the Opinion ruled that the Plaintiffs had "failed to allege a plausible inferential link" between providing their personal information to the NBEO and their receipt of unsolicited credit cards. Id. at 8.

Accordingly, the Opinion dismissed the Hutton and Mizrahi Complaints for lack of Article III standing to sue for lack of subject-matter jurisdiction. Hutton and Mizrahi have filed timely notices of appeal, and we possess appellate jurisdiction pursuant to 28 U.S.C. § 1291 .

II.

We review de novo a district court's dismissal of a complaint for lack of standing to sue. See Beck v. McDonald , 848 F.3d 262 , 269 (4th Cir. 2017). To possess standing, a plaintiff must sufficiently allege the three elements identified by the Supreme Court. That is, a plaintiff must allege that they have: "(1) suffered an injury-in-fact, (2) that is fairly traceable to the challenged conduct of the defendant, and (3) that is likely to be redressed by a favorable judicial decision." See Spokeo, Inc. v. Robins , --- U.S. ----, 136 S.Ct. 1540 , 1547, 194 L.Ed.2d 635 (2016). In evaluating a class action complaint, "we analyze standing based on the allegations of personal injury made by the named plaintiffs." See Beck , 848 F.3d at 269 (citing Doe v. Obama , 631 F.3d 157 , 160 (4th Cir. 2011) ). And class plaintiffs cannot meet their burden to establish standing "[w]ithout a sufficient allegation of harm to the named plaintiff in particular." Id . (quoting Doe , 631 F.3d at 160 ). When a complaint is evaluated at the pleading stage, however, "general factual allegations of injury resulting from the defendant's conduct may suffice, for on a motion to dismiss we presume that general allegations embrace those specific facts that are necessary to support the claim." See Lujan v. Defenders of Wildlife , 504 U.S. 555 , 561, 112 S.Ct. 2130 , 119 L.Ed.2d 351 (1992) (internal quotation marks and alterations omitted). Accordingly, "we accept as true" the "allegations for which there is sufficient 'factual matter' to render them 'plausible on [their] face.' " See Beck , 848 F.3d at 270 (quoting Ashcroft v. Iqbal , 556 U.S. 662 , 678, 129 S.Ct. 1937 , 173 L.Ed.2d 868 (2009) ).

III.

A.

In these appeals, the Plaintiffs seek a reversal of the district court's dismissal of the Hutton and Mizrahi Complaints for lack of standing to sue. They primarily argue that the court erred by making factual determinations to support its ruling. More specifically, the Plaintiffs maintain that they made sufficient allegations of injury-in-fact deriving from the NBEO data breach that are not at all speculative. The Plaintiffs argue that, if their allegations had been accepted by the court, their actual and impending injuries flowing from the NBEO's failure to properly protect their personal information were sufficiently alleged. The Plaintiffs also maintain that their injuries are fairly traceable to the NBEO's conduct, because the allegations of the Complaints extensively tie the NBEO to the data breach. The Plaintiffs also assert that the court misapplied the Article III standing requirements by misconstruing our decision in Beck v. McDonald . See 848 F.3d 262 (4th Cir. 2017).

On the other hand, the NBEO asks us to affirm the dismissal ruling in the district court's Opinion. The NBEO contends that the Plaintiffs' assignment of blame to the NBEO is fatally flawed, in that their allegations derive from discussions in Facebook groups and assume that the personal information divulged in the NBEO data breach had a single source. 6 The NBEO maintains that the Opinion was correctly decided, and that the allegations of an NBEO data breach are speculative and conclusory.

B.

As we recently explained in a standing to sue analysis, it "is established that a complaint must contain sufficient factual matter, accepted as true, to state a claim to relief that is plausible on its face." See Nanni v. Aberdeen Marketplace, Inc. , 878 F.3d 447 , 452 (4th Cir. 2017) (internal quotation marks and citations omitted). Challenges to subject-matter jurisdiction can be presented either facially or factually.

See Kerns v. United States , 585 F.3d 187 , 192 (4th Cir. 2009). 7 In this litigation, the NBEO interposes facial challenges to the Plaintiffs' jurisdictional allegations with respect to the first two standing to sue elements. The NBEO contends that the Complaints, on their face, fail to make allegations sufficient to satisfy the Plaintiffs' burden of establishing that they suffered an injury-in-fact that is fairly traceable to the conduct of the NBEO. See Spokeo, Inc. v. Robins , --- U.S. ----, 136 S.Ct. 1540 , 1547, 194 L.Ed.2d 635 (2016). 8 Because injury-in-fact and traceability are the only standing elements challenged by the NBEO, we focus on those two elements.

1.

First, we assess the injury-in-fact question. To establish an injury-in-fact, the Plaintiffs must show that they "suffered 'an invasion of a legally protected interest' that is 'concrete and particularized' and 'actual or imminent, not conjectural or hypothetical.' " See Spokeo , 136 S.Ct. at 1548 (quoting Lujan v. Defenders of Wildlife , 504 U.S. 555 , 560, 112 S.Ct. 2130 , 119 L.Ed.2d 351 (1992) ). As we explained in Beck ,

while it is true that threatened rather than actual injury can satisfy Article III standing requirements, ... not all threatened injuries constitute an injury-in-fact. Rather, as the Supreme Court has emphasized repeatedly, an injury-in-fact must be concrete in both a qualitative and temporal sense. The complainant must allege an injury to himself that is distinct and palpable, as opposed to merely abstract.

See Beck , 848 F.3d at 271 (internal quotation marks and citations omitted). As we also explained, the imminence of an injury, although "concededly a somewhat elastic concept, ... cannot be stretched beyond its purpose, which is to ensure that the alleged injury is not too speculative for Article III purposes." Id. (quoting Lujan , 504 U.S. at 564-65 n.2, 112 S.Ct. 2130 ). And where a plaintiff has made no allegations that show a sufficiently imminent threat of injury from future identity theft, the plaintiff's "contention of an enhanced risk of future identity theft" is simply "too speculative." Id. at 274.

We reasoned in Beck that a plaintiff fails to "establish Article III standing based on the harm from the increased risk of future identity theft and the cost of measures to protect against it." See Beck , 848 F.3d at 266 . We emphasized that a mere compromise of personal information, without more, fails to satisfy the injury-in-fact element in the absence of an identity theft. Id. at 274-75 . The situations in these consolidated appeals, however, are readily distinguishable from that in Beck . In Beck , the plaintiffs alleged only a threat of future injury in the data breach context where a laptop and boxes-containing personal information concerning patients, including partial social security numbers, names, dates of birth, and physical descriptions-had been stolen, but the information contained therein had not been misused. The Plaintiffs in these cases, on the other hand, allege that they have already suffered actual harm in the form of identity theft and credit card fraud. The Plaintiffs have been concretely injured by the data breach because the fraudsters used-and attempted to use-the Plaintiffs' personal information to open Chase Amazon Visa credit card accounts without their knowledge or approval. Accordingly, there is no need to speculate on whether substantial harm will befall the Plaintiffs.

By way of example, the Hutton Complaint specifies that Hutton received an unsolicited Chase Amazon Visa credit card that was applied for using her social security number and her maiden name (the name that she had provided to the NBEO in 1998). Around the same time, Kaeochinda learned that someone had applied for a Chase credit card using her social security number and former married name. Mizrahi also actually received an alert that her credit score had decreased eleven points due to a credit application that was fraudulently filed with Chase, using her address, social security number, and mother's maiden name. She had to spend time and resources to repair her credit. The Plaintiffs do not allege that they suffered fraudulent charges on their unsolicited Chase Amazon Visa credit cards, but the Supreme Court long ago made clear that "[i]n interpreting injury in fact ... standing [is] not confined to those who [can] show economic harm." See United States v. Students Challenging Regulatory Agency Procedures , 412 U.S. 669 , 686, 93 S.Ct. 2405 , 37 L.Ed.2d 254 (1973).

At a minimum, Plaintiffs have sufficiently alleged an imminent threat of injury to satisfy Article III standing. On that score, these cases stand in stark contrast to Beck , where we concluded that the threat was speculative because "even after extensive discovery" there was "no evidence that the information contained on [a] stolen laptop [had] been accessed or misused or that [the plaintiffs had] suffered identity theft." See Beck , 848 F.3d at 274 . In fact, there was no evidence that the thief even stole the laptop with the intent to steal private information. Id. Here, the Plaintiffs allege that their data has been stolen, accessed, and used in a fraudulent manner.

And although incurring costs for mitigating measures to safeguard against future identity theft may not constitute an injury-in-fact when that injury is speculative, see Beck , 848 F.3d at 276 , the Court has recognized standing to sue on the basis of costs incurred to mitigate or avoid harm when a substantial risk of harm actually exists, see Clapper v. Amnesty Int'l USA , 568 U.S. 398 , 414 n.5, 133 S.Ct. 1138 , 185 L.Ed.2d 264 (2013). The Hutton and Mizrahi Complaints both allege that the Plaintiffs incurred out-of-pocket costs. And the Plaintiffs also suffered time lost in seeking to respond to fallout from the NBEO data breach. Indeed, they had to purchase credit monitoring services, and they had to notify credit reporting agencies and the IRS of the data breach of their personal information. Because the injuries alleged by the Plaintiffs are not speculative, the costs of mitigating measures to safeguard against future identity theft support the other allegations and together readily show sufficient injury-in-fact to satisfy the first element of the standing to sue analysis.

9

2.

Second, we address the traceability of the NBEO's conduct to the injuries and harms alleged in the Complaints. The Supreme Court in Ashcroft v. Iqbal concluded that "[a] pleading that offers labels and conclusions or a formulaic recitation of the elements of a cause of action will not do. Nor does a complaint suffice if it tenders naked assertions devoid of further factual enhancement." See 556 U.S. 662 , 678, 129 S.Ct. 1937 , 173 L.Ed.2d 868 (2009) (internal quotation marks and citations omitted). With respect to the traceability element, the Court has reasoned that

[t]he injury must be fairly traceable to the challenged action, and relief from the injury must be likely to follow from a favorable decision.... These terms cannot be defined so as to make application of the constitutional standing requirement a mechanical exercise.

See Allen v. Wright , 468 U.S. 737 , 751, 104 S.Ct. 3315 , 82 L.Ed.2d 556 (1984) (internal quotation marks and citations omitted). Therefore, "[p]leadings must be something more than an ingenious academic exercise in the conceivable." See Students Challenging Regulatory Agency Procedures , 412 U.S. at 687 , 93 S.Ct. 2405 . We have concluded that the "fairly traceable standard is not equivalent to a requirement of tort causation." See Friends of the Earth, Inc. v. Gaston Copper Recycling Corp. , 204 F.3d 149 , 161 (4th Cir. 2000) (internal quotation marks omitted).

The Complaints contain allegations demonstrating that it is both plausible and likely that a breach of the NBEO's database resulted in the fraudulent use of the Plaintiffs' personal information, resulting in their receipt of unsolicited Chase Amazon Visa credit cards. The Complaints allege that a group of optometrists from around the country began to notice that fraudulent Chase accounts were being opened in their names in July 2016. For example, in August 2016, Hutton and Kaeochinda received their unsolicited Chase Amazon Visa credit cards. Hutton's fraudulent credit card was applied for in her maiden name-which she had provided to the NBEO eighteen years earlier. Kaeochinda's unsolicited Chase credit card was applied for in her former married name, which she had provided to the NBEO several years earlier. In August 2016, Mizrahi was informed by a credit monitoring service of an effort to open a fraudulent credit card account in her name, using personal information she had previously provided to the NBEO in registering for a professional examination. Notably, the Plaintiffs allege that, amongst the group of optometrists, the NBEO is the only common source that collected and continued to store social security numbers that were required to open a credit card account, and also stored outdated personal information (such as maiden names and former married names) during the relevant time periods. Furthermore, other national optometry organizations do not gather or store Social Security numbers, or have investigated and confirmed that their databases have not been breached.

Put simply, the Complaints contained sufficient allegations that the NBEO was a plausible source of the Plaintiffs' personal information. Accordingly, the Complaints contain "sufficient factual matter" to render the Plaintiffs' allegations plausible on their face with respect to traceability. See Beck , 848 F.3d at 270 .

In these circumstances, the standing elements of injury-in-fact and traceability are both sufficiently alleged in the Complaints. And the third standing element-redressability-has not been and is not contested by the NBEO. As a result, the district court erred in dismissing the Complaints for lack of standing to sue.

IV.

Pursuant to the foregoing, we vacate the judgment of the district court and remand for such other and further proceedings as may be appropriate.

VACATED AND REMANDED