Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Class Action Lawsuit. Show all posts

South Staffs Water Faces a Group Action Following Clop Ransomware Attack

 

Following the theft and disclosure of their data by the Clop/Cl0p ransomware group, nearly one thousand victims recently filed a class action lawsuit against South Staffordshire Plc. 

South Staffordshire Plc, which owns South Staffordshire Water and Cambridge Water, served 1.6 million Midlands customers when Clop targeted its networks in August 2022.

The cyber attack on its systems became well-known at the time because Clop falsely claimed it had targeted Thames Water, which serves consumers in Greater London and other parts of south-east England. 

The inept cyber crooks published a lengthy rant against Thames Water, criticising its alleged cyber malfeasance and urged customers to come together to sue them. Two and a half years later, Manchester-based Barings Law is seeking legal action over the breach, for which South Staffs has admitted liability. 

Bank sort codes, account numbers used for direct debit payments and bank transfers, names, residences, and other sensitive information were among the details that Barings said its claimants saw published on the dark web. It states that South Staffs did not fulfil its obligation to safeguard its clients' personal information.

“This cyber attack has exposed a significant number of individuals to potential risks and damages,” stated Adnan Malik, head of data breach at Barings Law. “Our clients are seeking not only financial compensation, but also accountability from South Staffs Water for the lapses in data protection. We are regularly fielding enquiries from the public who are concerned they may have been victims of this terrible incident.” 

“This data breach is a serious infringement of privacy rights, and we will robustly pursue justice on behalf of the claimants to ensure that they receive fair compensation for the potential repercussions of this breach. Barings Law remains committed to championing the rights of those affected and holding accountable any entity that neglects its responsibility to protect sensitive data,” Malik added. 

Barings was established in 2009 and is becoming known for specialising in similar collective claims involving cyberattacks that resulted in the theft and disclosure of personally identifiable information (PII). Notable actions against Capita and Carphone Warehouse have advanced in the last 12 months. 

The Capita lawsuit pertains to two 2023 incidents that compromised common people's data: the first was a ransomware attack that impacted multiple pension funds, and the second was an inadvertent leak of data housed in an insecure Amazon Web Services (AWS) S3 storage bucket. As of mid-January 2024, over 5,000 people had signed up to join. 

Capita has denied the legitimacy of this claim, stating that "no evidence of any information in circulation, on the dark web or otherwise, resulting from the cyber incident, and no evidence linking Capita data to fraudulent activity".

NYC’s Metropolitan Opera Faces Lawsuit for 2022 Data Breach


World’s largest opera house, the New York City’s Metropolitan Opera has recently been charged with a class action lawsuit following a data breach that took place in year 2022 and apparently compromised private information of around 45,000 employees and patrons. The lawsuit has been filed in the Manhattan Supreme Court.

According to Anthony Viti, former Met employee – the largest performing arts organization in the country – and the lead plaintiff in the lawsuit, the private information that is compromised in the breach includes victim’s Social Security number, driver’s license number, date of birth and financial account information.

When the breach was first reported by The New York Times in December, the company's website and box office had been down for more than 30 hours.

The lawsuit reads, “For approximately two months, The Met failed to detect an intruder with access to and possession of The Met’s current/former employees and consumers’ data[…]It took a complete shutdown of The Met’s website and box office for The Met to finally detect the presence of the intruder.”

Following the incident, The Met requested a third-party forensic investigation, which revealed that cybercriminals had stolen personally identifiable information over a two-month period between September and December.

“Through an investigation conducted by third-party specialists, the Met learned that an unknown actor gained access to certain of their systems between September 30, 2022 and December 6, 2022 and accessed or took certain information from those systems,” Stephanie Basta, the opera’s lawyer, wrote in a letter submitted to the Maine Attorney General on May 3.

Following the lawsuit, The Met responded by offering victims with a year of credit monitoring services.


The lawsuit condemned The Met, stating "The Met failed to detect an intruder with access to and possession of The Met's current/former employees' and consumers' data[…]It took a complete shutdown of The Met's website and box office for The Met to finally detect the presence of the intruder."

Viti said The Met's response to the data breach has been "woefully insufficient" and alleged that the organization did not disclose to affected parties that their data had been compromised until May 3, nearly five months after the incident.

However, The Met dejects the claims, saying “We strongly believe this case has no merit.”  

UKG Faces Payroll Violations Class Action Lawsuit in Multiple U.S. District Courts

 

Workforce management company Ultimate Kronos Group faces a proposed class action after its ubiquitous Kronos timekeeping system got whacked by ransomware last December. The aggrieved customers dragged the firm into court as scheduling and payroll were hindered at thousands of organizations including Tesla, PepsiCo, Whole Foods.

Due to the network outage, many major firms were unable to pay workers on time for all of their wages, including overtime wages, and shift differentials, as they rely on Kronos products for timekeeping and prompt pay policies. 

Employees at Tesla and PepsiCo filed a class-action lawsuit against UKG in the U.S. District Court in the Northern District Court of California seeking damages due to alleged negligence in data security procedures and practices. New York MTA employees filed a separate suit in the U.S. District Court for the Southern District of New York against the MTA, alleging it failed to pay overtime wages due to the Kronos outage.

According to John Bambenek, principal threat hunter at security firm Netenrich, the response and recovery from the ransomware attack is UKG's responsibility, but failure to make payroll, a potential violation of the federal Fair Labor Standards Act (FLSA) and any applicable state and local laws, is the fault of the employer. The federal Fair Labor Standards Act (FLSA) requires organizations to accurately track the hours worked by employees and pay workers accordingly. Failure to comply with these requirements could entitle workers to compensation of up to double their unpaid wages.

"The employers are responsible for making payroll. If they're using a third-party provider, and it doesn't get the job done, they're responsible for making payroll,” said John Bambenek. “That doesn't leave Kronos off the hook, however. Kronos offers service and couldn't provide it, so now the company may be liable to its customers, Bambenek said. Employers can sue UKG too.”

However, the key question is whether the contracts that UKG negotiated with its customers define who might be responsible in the wake of an incident like this. In many cases, commercial contracts between a provider and a customer contain an indemnification clause, which protects the provider from legal action or damage for certain events. 

"Every vendor, especially at the level of Kronos," is going to seek an indemnification clause that benefits them in their contracts, Matthew Warner, CTO, and co-founder at detection and response provider Blumira, told Cybersecurity Dive. "They're going to do as much as they can to make sure that if something goes wrong, and if there is any sort of interruption associated with it, they're indemnified for it."