PBI, PSC Failed To Protect Users' Personal Information in May Data Breach: Class Action
Progress Software (PSC) and Pension Benefits Information (PBI) failed to properly secure and safeguard plaintiff Dana LoGiudici’s personally identifiable information (PII), said a Tuesday class action (docket 1:23-cv-11916) in U.S. District Court for Massachusetts in Boston. Defendants violated Section 5 of the FTC Act by failing to protect plaintiffs’ PII in a data breach, it said.
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
LoGiudici of Oakland Park, Florida, received a notice letter dated July 19 from PBI saying her PII was part of a data breach at PSC, which offers its cloud hosting and secure file transfer service, MOVEit, to corporations and government entities, including PBI. The letter said LoGiudici’s PII was exposed in the data breach between May 29 and May 30, when an unauthorized third party accessed PBI’s internal MOVEit transfer servers containing her PII, said the complaint.
On or about May 31, PBI received notice from PSC that an unauthorized external party had exploited a vulnerability within MOVEit software, the complaint said. The hackers responsible for the data breach were later identified as Russian cyber gang Clop. The data exposed included name, Social Security number and birthday; the compromised data also “allows individuals to infer that consumers were employed in certain sectors or use certain services offered by PBI,” the complaint said.
Due to the exposure, LoGiudici and class members suffered “irreparable harm,” they lost the ability to control their PII and they’re subject to an increased risk of identity theft, said the complaint. PSC and PBI breached their duty by failing to implement and/or maintain adequate security practices, it said.
PBI "delayed acknowledging and giving notice” of the data breach, the complaint said. PBI waited until July 19 “despite knowing that hackers accessed" its account holders' and customers' information, "and that sensitive PII was compromised,” it said. Due to PBI’s “inadequate digital security and notice process,” LoGiudici’s and class members’ PII “was exposed to criminals,” the complaint said. They suffered and will continue to suffer injuries, including “financial losses caused by misuse of PII”; loss or diminished value of their PII; lost time associated with detecting and preventing identity theft; and theft of personal, medical, and financial information, it said.
LoGiudici brings claims for negligence, negligence per se, breach of implied contract, and unjust enrichment. She seeks damages to be determined by the court, statutory damages, prejudgment interest and an order of restitution.