Incident & Breach Response , Legislation & Litigation , Security Operations
Victims Sue Financial Firms Over MOVEit Data Breaches
Fresh Lawsuits Target Prudential, Plus Charles Schwab and Subsidiary TD AmeritradeFinancial services firms affected by the mass attack on MOVEit file-sharing software are among the latest to face lawsuits from affected individuals. One such lawsuit, filed against Prudential, wants the firm to pay for 10 years of identity theft monitoring service instead of the usual two since stolen Social Security numbers cannot be replaced.
See Also: Meeting the Mandate: A Proactive Approach to Cybersecurity Compliance and Incident Reporting
So far, 998 organizations are known to have fallen victim to the MOVEit attacks, based on public data breach notifications and victims listed by Clop on its data leak site, security firm Emsisoft reported.
Clop's attacks have affected at least 49 million to 54 million individuals worldwide, according to German cybersecurity research firm KonBriefing.
The Russian-speaking Clop group targeted a zero-day flaw in MOVEit servers worldwide that allowed it to steal all data stored on the server. Clop unleashed its highly automated mass attack around May 29, apparently timed to take advantage of the U.S. Memorial Day holiday weekend. Massachusetts-based Progress Software issued a security alert and patches to fix the flaw in its MOVEit software on May 31.
Organizations that have each reported losing information on millions of individuals due to the attacks include government contractor Maximus; state government agencies in Louisiana, Colorado and Oregon; and the Teachers Insurance and Annuity Association of America; among others.
Individuals affected by MOVEit data breaches have filed multiple lawsuits against organizations that directly or indirectly lost their personal information, including TIAA, Johns Hopkins University and its health system, California Public Employees Retirement System - aka CalPERS - and Progress Software itself.
Fresh lawsuits have recently been filed against two financial services giants: Prudential, plus Charles Schwab and its subsidiary TD Ameritrade.
Prudential Victims Seek More Monitoring
Prudential on July 31 began notifying 320,840 individuals that their personal data, including names and Social Security numbers, had been exposed via an attack against service provider Pension Benefit Information's MOVEit server, and it offered them 24 months of prepaid credit and identity theft monitoring services.
PBI is widely used by financial services firms to help them comply with federal regulations, including identifying policyholders who are deceased as well as their beneficiaries. Numerous organizations have reported falling victim indirectly to MOVEit's attacks via breaches of PBI and other service providers.
California resident Bruce Parker on Aug. 15 filed a complaint in New Jersey federal court, seeking class action status against Prudential. The lawsuit accuses Prudential of violating common law by failing to protect customers' personal information and says victims "now face a lifetime risk of identity theft due to the nature of the information lost, including Social Security numbers, which they cannot change, and which cannot be made private again."
Parker is seeking damages, and it wants Prudential to overhaul its security program and submit to outside security audits for the next 10 years. It also wants Prudential "to pay for not less than 10 years of credit monitoring services" for victims. Paying out of pocket for such monitoring would otherwise cost victims an estimated $200 per year, the complaint says.
TD Ameritrade Sued
On Wednesday, David Schultz filed a complaint in The U.S. District Court for the District of Nebraska against TD Ameritrade and Schwab, seeking class action status, after reporting that he had received a data breach notification, dated Aug. 3, around Aug. 22.
TD Ameritrade, owned by Charles Schwab, began notifying 61,160 individuals in early August that due to the MOVEit attacks, their Social Security numbers, financial information and other personal information had been exposed, including their "financial account number or credit/debit card number, in combination with security code, access code, password or PIN for the account." The firm offered victims 24 months of prepaid credit and identity theft monitoring services.
In the complaint, Schultz claims affected customers "suffered present injury and damages in the form of identity theft, loss of value of their PII, out-of-pocket expenses and the value of their time reasonably incurred to remedy or mitigate the effects of the unauthorized access, exfiltration, and subsequent criminal misuse of their sensitive and highly personal information."
The lawsuit alleges that customers' rights were violated by TD Ameritrade "knowingly failing to implement and maintain adequate and reasonable measures" to protect their data, taking nine weeks to notify victims post-intrusion. The lawsuit seeks unspecified damages and requests that the court order TD Ameritrade to overhaul its information security practices, including implementing logging and monitoring programs to give it better visibility into breaches and having an outside firm monitor these efforts for 10 years.
Responding to the lawsuit's allegations, Schwab said it stands by its cybersecurity and notification practices.
"Generic and conclusory allegations are often devoid of accuracy and context," a statement released by Schwab says. "Our focus is protecting our clients. We do that by not only standing by them in such matters but by thoroughly investigating any incident that may affect them. Our notification practices are consistent with our mission to see the world through our clients' eyes and are in keeping with our regulatory obligations."
Where Will Victim Count End?
With fresh reports of data breaches due to the MOVEit attack still arriving daily, the count of victims - already near 1,000 - looks set to increase.
Multiple investigations remain underway. Earlier this week, the French government unemployment agency Pôle Emploi announced that one of its service providers, Luxembourg-based Majorel, is investigating a data breach that exposed information for 10 million individuals, French daily Le Parisien reported.
While Majorel is reportedly a MOVEit user, as yet it's unclear if the breach was tied to its MOVEit server.