Credit Card Issuer Failed to Protect Customers From MOVEit Data Breach: Class Action

Financial services company Pathward National Association, issuer of the H&R Block Emerald Mastercard, learned from PSC on July 25 of “unauthorized acquisition of your personal information,” said Pathward’s Sept. 27 notice to its credit card customers, a sample copy of which is available at the Maine attorney general’s website. Pathward became aware July 12 that an unauthorized third party had “acquired certain files transferred through the MOVEit Transfer tool," said the Pathward letter. Plaintiff Cantrell of Galesburg, Illinois, and Alcott of Mount Holly, New Jersey, received the notice letter in October, said the complaint.

Pathward told its customers that neither its nor H&R Block's systems “were involved or compromised by this incident,” but that it takes its responsibility to protect data customers “entrust to us very seriously.” Customer information that may have been involved associated with customers’ names and credit cards include address, Social Security number, date of birth, driver’s license number, email address, phone number and credit card account number, expiration date and other information, said the complaint.

Omitted from the notice were details of the root cause of the data breach, the vulnerabilities exploited and the measures taken to ensure such a breach doesn’t occur again, said the complaint. The “'disclosure’ amounts to no real disclosure at all,” because it fails to inform “with any degree of specificity,” critical facts that affect plaintiffs’ and class members’ ability to “mitigate the harms” arising from the breach, it said.

Defendants didn’t use “reasonable security procedures and practices appropriate to the nature of the sensitive information they were maintaining,” such as encrypting or deleting information when it was no longer needed, said the complaint. Pathward “failed to exercise due diligence in selecting its IT vendors or deciding with whom it would share sensitive PII,” the complaint said. Pathward uses MOVEit transfer software to move data files.

Data thieves regularly target companies like Pathward and PSC “due to the highly sensitive information that they custody,” said the complaint. Defendants “knew and understood that unprotected PII is valuable and highly sought after by criminal parties who seek to illegally monetize that PII through unauthorized access,” it said.

Plaintiffs’ and class members’ PII was accessed and stolen in PSC’s data breach, said the complaint. Their data was or will be sold on the dark web, something plaintiff Alcott “has already experienced,” said the complaint. Defendants retain and store this information and “derive a substantial economic benefit from the PII that they collect,” it said. Defendants couldn’t perform their services without customers’ PII, and when they collected the data, they “assumed legal and equitable duties and knew or should have known that they were responsible for protecting the PII from disclosure,” it said.

Defendants failed to meet the minimum standards of the National Institute of Standards and Technology Cybersecurity Framework Version 1.1 and the Center for Internet Security’s Critical Security Controls, “established standards in reasonable cybersecurity readiness,” the complaint said.

As a result of defendants’ “inadequate data security practices,” plaintiffs and class members have sustained actual injuries and damages, including invasion of privacy, loss of time and productivity in mitigating risk, loss of benefit of the bargain, diminution of value of their PII, invasion of privacy and continued risk to their PII, the complaint said.

Pathward is offering customers a two-year membership to OnAlert, an identity monitoring service from ChexSystems, for free, said the letter. Customers need to enroll for the two-year membership by Dec. 31. Features of the service bundle include credit reports from Experian, a credit score tracker, credit and identity education videos, real-time authorization alerts, dark web monitoring and up to $1 million identity theft insurance for certain expenses associated with restoring one’s identity, said the letter.

But Pathward’s offer is “wholly inadequate" to compensate victims as it "fails to provide for" the "multiple years" of ongoing identity theft and financial fraud they face, and it entirely fails to provide sufficient compensation for the unauthorized release and disclosure of their PII, said the complaint. Once the two-year term expires, plaintiffs and class members will be forced to pay out of pocket for necessary identity monitoring services, it said.

In addition to negligence and negligence per se, plaintiffs claim breach of implied contract, unjust enrichment and violation of the Illinois Consumer Fraud and Personal Information Protection acts. They seek orders enjoining defendants from engaging in wrongful conduct related to the misuse and disclosure of plaintiffs’ and class members PII and from “refusing to issue prompt, complete and accurate disclosures.” They also seek orders requiring defendants to encrypt and protect all data collected through the course of their business in accordance with regulations and industry standards; to delete, destroy and purge PII; to implement a comprehensive information security program; and to appoint an independent third-party assessor to conduct system testing annually for 10 years.

Plaintiffs seek an award of actual, compensatory, statutory, nominal and putative damages, pre- and post-judgment interest and attorneys’ fees and costs. A PSC spokesperson emailed Monday that the company doesn't comment on pending litigation "as our focus remains on working closely with customers so they can take the steps needed to further harden their environments, including applying the patches we have developed." Pathward didn't comment.