Los Angeles Housing Authority Hit with Class Action Over Nearly Year-Long Data Breach

New to ClassAction.org? Read our Newswire Disclaimer

A proposed class action claims negligence by the Housing Authority of the City of Los Angeles (HACLA) in securing applicants’ information is to blame for a data breach the agency experienced for nearly all of 2022.

Want to stay in the loop on class actions that matter to you? Sign up for ClassAction.org’s free weekly newsletter here.

The 22-page lawsuit claims that HACLA’s failure to implement sufficient cybersecurity measures allowed cybercriminals to hack its computer systems and exfiltrate approximately 15 terabytes of private data from January 15 to December 31, 2022. According to the case, the data compromised in the breach included the Social Security numbers, dates of birth and driver’s license numbers of thousands of current and former housing applicants.

The complaint relays that LockBit, an infamous ransomware group that took credit for the breach, uploaded applicants’ stolen information to the dark web on December 31. Citing a 2007 report from the United States Government Accountability Office, the suit says that malicious actors can use a victim’s Social Security number to open financial accounts, receive government benefits, incur charges or credit in their name and commit other forms of identity theft and fraud.

Affected applicants will continue to face these risks throughout their respective lifetimes, the case notes. Although fraudulent activity resulting from the cyberattack may not come to light for years, the plaintiff, a California resident who applied for housing assistance through the state-chartered agency, says he has already received significantly more spam texts, calls and emails since the incident transpired, the complaint says.

Considering the substantial increase in data breaches in recent years, as well as widespread coverage of similar attacks, HACLA “clearly knew or should have known of the risks of data breaches and thus should have ensure [sic] that adequate protections were in place,” the suit contends.

Per the filing, the defendant has “compounded the actual and potential harm” to those whose data was compromised by waiting several months after it discovered the breach last December to send notification letters to impacted individuals.

The agency’s March 2023 notice letter failed to offer any compensation for damages victims may incur, including out-of-pocket costs associated with identity theft prevention, detection and recovery, the suit says. Instead, HACLA merely instructed applicants to sign up for a complimentary year of credit monitoring by June 30, 2023, which the filing argues is an “unreasonably short window of opportunity” to claim these “insufficient” services.

Also absent from HACLA’s notice letter were details about how the agency plans to improve its cybersecurity procedures to prevent future cyberattacks, the case notes.

“Defendant had obligations created by contract, industry standards, common law, and representations made to current, former, and prospective [applicants] to keep Plaintiff’s and Class Members’ Sensitive Information confidential and to protect it from unauthorized access and disclosure,” the complaint reads.

The lawsuit looks to cover anyone whose sensitive information was exposed to unauthorized access by way of the data breach of the Housing Authority of the City of Los Angeles’ computer system between approximately January 15 and December 31, 2022.

Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s free weekly newsletter here.