Government Contractor Opexus Hit with Class Action Lawsuit Over February 2025 Data Breach

New to ClassAction.org? Read our Newswire Disclaimer

Opexus, formerly known as AINS, has been hit with a proposed class action lawsuit alleging that the government technology contractor failed to prevent a data breach in which two former employees were able to access and delete highly sensitive government and third-party information.

Get class action lawsuit and class action settlement news sent to your inbox – sign up for ClassAction.org’s free weekly newsletter.

The 54-page data breach lawsuit asserts that Opexus, which operates platforms for processing federal government records and claims to handle sensitive data for nearly every U.S. federal agency, failed to implement reasonable cybersecurity measures or use even the “most basic” personnel screening measures to protect confidential government and sensitive personal information from a “catastrophic” data breach.

According to the case, Opexus experienced a data breach in February 2025 when two former employees, twin brothers who had been previously prosecuted and convicted by the United States government for federal hacking and wire-fraud offenses before being hired by Opexus, used insider privileges to extract, delete and corrupt databases storing government records, including records related to Freedom of Information Act (FOIA) requests, enforcement actions, audits and investigations.

Despite having been convicted of crimes arising from a conspiracy to execute a “coordinated, multi-stage cyberattack on government systems,” the brothers allegedly involved in the data breach were able to successfully find employment with Opexus, the lawsuit highlights. Per the case, their criminal histories were only noted when another government agency flagged them as “insider threats,” after which they were reportedly fired.

Even after the employees’ criminal histories came to light, Opexus apparently did not revoke their access to confidential government information stored on its systems, “directly enabling” the data breach, the suit says.

According to a press release announcing the brothers’ arrest, they allegedly “sought to harm” Opexus and its government customers following their termination by accessing systems without authorization, blocking others’ access to databases, deleting databases, stealing information and destroying evidence of their actions.

Opexus, the case says, should have had systems in place to prevent insiders from engaging in “prolonged” unauthorized activity but failed to adhere to “well-established” cybersecurity and risk management practices.

“The risk of misuse, retaliation, or data destruction under these circumstances was not speculative, it was obvious, foreseeable, and entirely preventable through minimal due diligence,” the filing scathes. “As such, this was not a close call or a nuanced judgment error. It was a categorical failure to apply even the most basic principles of personnel security and risk management.”

The class action lawsuit further states that Opexus, which has allegedly received tens of millions of dollars in contracts with the federal government, should have the means, sophistication, and resources to implement “robust” cybersecurity controls, including restrictions on insider access, in line with the confidential nature of the data stored on its platforms.

The filing explains that the Federal Trade Commission has published guidance recommending that entities that store personally identifiable information create a “comprehensive” information security program, including risk assessment, access controls, background screening, monitoring for unauthorized activity, encryption of sensitive data, and cybersecurity training for employees.

Moreover, the lawsuit says that industry best practices similarly require organizations to mitigate insider threats, including by implementing continuous monitoring alerts for unusual activity by privileged users, controls to prevent or detect mass copying or export of sensitive information, data loss prevention mechanisms, and offboarding procedures that immediately revoke insider access at or before termination.

Not only did Opexus fail to prevent the breach, but it did not notify affected individuals in a timely, actionable manner, the suit says. Per the filing, the delay “deprived” individuals of the opportunity to take steps towards protective measures that may have mitigated the personal impact of the breach at the “earliest possible moment.” As a result of the data breach, the plaintiff and class members now face an increased risk of identity theft, fraud and loss of privacy, the lawsuit states.

The Opexus class action lawsuit seeks to cover all individuals in the United States whose personally identifying information was accessed, copied, exfiltrated, destroyed, compromised, or placed at a material risk of misuse as a result of the February 2025 data breach.

Check out ClassAction.org’s lawsuit list for the latest open class action lawsuits and investigations.