PSC, PBI Haven't Sent Direct Data Breach Notice to Affected Individuals: Plaintiffs

PSC announced in a late May notice on its website that it found an SQL injection vulnerability in its MOVEit Transfer application dating to 2021 that allowed an unauthorized third party to access customer personally identifiable information (PII), but neither PSC nor PBI sent direct notice to those individuals affected by the breach. The California Public Employees' Retirement System (CalPERS) did cite the notice, saying, “CalPERS provided data to PBI in a secure, encrypted format. On June 6, 2023, PBI notified CalPERS that a previously unknown ‘zero-day’ vulnerability in the MOVEit transfer application allowed our data to be downloaded by an unauthorized third party.”

PSC stored, maintained or hosted plaintiffs’ PII on its cloud hosting and secure file transfer services and applications involving MOVEit software that were negligently configured and maintained, said the complaint. That resulted in security vulnerabilities that enabled “multiple breaches of its network and systems or of its customers’ networks and systems, including PBI,” said the complaint. The breach allowed unauthorized third-party cybercriminals to gain access to and obtain plaintiffs’ PII, it said.

The private information of “millions of individuals” was maintained by defendants “in a negligent manner” on computer systems and networks that used MOVEit software, which contained security vulnerabilities that led to “dozens of cyberattacks,” the complaint said. PBI “negligently chose to utilize PSC’s MOVEit software to store and transfer” plaintiffs’ and class members’ PII despite those vulnerabilities, it said. Defendants should have been on notice to take appropriate design and protective measures for the software because other file transfer programs had experienced criminal hacking, it said.

Defendants haven’t made any assurances they adequately enhanced their data security practices to sufficiently guard against a similar vulnerability in the MOVEit transfer app in the future, said the complaint. Details of the breach remain in defendants' control, but plaintiffs, upon information and belief, allege they breached their obligations by failing to design, monitor and maintain reasonable software safeguards against “foreseeable threats”; failed to train staff on data security and comply with industry standards; failed to warn plaintiffs about inadequate security practices, adequately encrypt the PII or detect that their systems had been compromised; and failed to use “widely available software” to prevent the breach.

As a result of defendants’ “inadequate data security practices,” plaintiffs are at a “current and ongoing risk of identity theft” and suffered invasion of privacy; out-of-pocket costs to mitigate the risk of identity theft; loss of time and productivity; diminution of value of their PII; anxiety, annoyance and nuisance; and continued risk to their PII.

Plaintiffs claim negligence and negligence per se, breach of third-party beneficiary contract and unjust enrichment. They seek injunctive relief requiring defendants to employ adequate security practices to protect plaintiffs’ PII. Defendants haven't notified affected individuals that they remedied vulnerabilities, and if an injunction isn't issued, plaintiffs will suffer “irreparable injury and lack an adequate legal remedy in the event of another data breach at PSC,” the complaint said.

Plaintiffs seek orders requiring defendants to stop engaging in wrongful acts named in the suit; to protect and encrypt all data collected in accordance with regulations; to delete, destroy and purge the PII of plaintiffs and implement an information security program with third-party auditors; audit, test and train security personnel; and create firewalls and access controls to protect data systems. They request actual, consequential and nominal damages, prejudgment interest and attorneys’ fees and costs.

A spokesperson for PSC emailed Friday: "We do not comment on pending litigation as our focus remains on working closely with customers so they can take the steps needed to further harden their environments, including applying the patches we have developed." PBI didn't comment.

Also Thursday, four plaintiffs filed a joint response of interested parties before the U.S. Judicial Panel on Multidistrict Litigation to move to transfer related cases in MOVEit Customer Data Security Breach Litigation to U.S. District Court for Minnesota for centralized pretrial proceedings (docket 3083). The state’s central location will benefit litigation located nationwide and provides an area where a substantial amount of discovery is likely to reside because PBI’s headquarters are in Minneapolis, said the response.

Plaintiffs Kelly Harris, Diane White, Sabela Portillo and Rebecca Iddings said the MOVEit breach “impacted tens, if not hundreds, of businesses and likely millions of individuals in the United States,” said the response. Cases have been filed in California, Illinois, Louisiana, Maryland, Massachusetts, Minnesota, New Jersey and Virginia, and given the widespread impact of the data breach, more related actions are likely against PSC, PBI and other defendants named -- Genworth Financial, Ipswitch and the Illinois Dept. of Innovation and Technology, among others, it said. Judge Katherine Menendez, who has been assigned each of the related actions filed in Minnesota, is “highly capable of managing a likely substantially complex” MDL, it said.