Mondelez, Others Facing Class Actions Over February 2023 Data Breach [UPDATE]

New to ClassAction.org? Read our Newswire Disclaimer

At least three proposed class action lawsuits claim Mondelēz Global failed to protect the personal information of more than 51,000 employees during a February 2023 cyberattack.

Want to stay in the loop on class actions that matter to you? Sign up for ClassAction.org’s free weekly newsletter here.

One of the complaints explains that law firm Bryan Cave Leighton Paisner LLP (BCLP), which was given access to Mondelēz’s employee data as part of the legal services it provides to the snack company, first detected unusual activity on its computer network on February 27, 2023. According to the company’s data breach notice, a subsequent investigation revealed that an unauthorized third party had accessed BCLP’s systems between February 23 and March 1. It wasn’t until March 24 that BCLP notified client Mondelēz of the cyberattack, the notice relays.

Per the lawsuits, the sensitive data compromised in the BCLP breach included, without limitation, current and former Mondelēz employees’ full names, dates of birth, Social Security numbers, addresses, genders, marital status, employee identification numbers and retirement and/or thrift plan information.

Alongside Mondelēz Global, one complaint also names as co-defendants BCLP; Mondelēz International Holdings, LLC and parent company Mondelēz International, Inc.

The cases allege that the ransomware attack, wherein cybercriminals “bypassed BCLP’s inadequate security systems” and accessed the information belonging to Mondelēz employees, was a direct result of the defendants’ failure to implement proper data security measures to protect against “foreseeable and preventable” cyberattacks.

Employees’ personal data was purportedly stored unencrypted in the system and in a “vulnerable” and “dangerous” condition, the suits share.

“Had the information been properly encrypted,” one complaint argues, “the data thieves would have exfiltrated only unintelligible data.”

The filings also take issue with the delayed notification of data breach victims. According to the lawsuits, notices were only sent to impacted individuals in mid-June of this year, four months after the cyberattack occurred and nearly three months after Mondelēz first learned of the incident.

Although victims of the breach have apparently been offered two years of complimentary credit monitoring services, the cases argue that this gesture is “wholly inadequate” to compensate affected individuals, who are now at a greater risk of “crippling future identity theft and fraud” as a result of the unauthorized disclosure of their private data.

The lawsuits look to represent anyone in the United States whose personal information was compromised in the data breach first announced by Mondelēz in June 2023, including those who received a notice of the breach.

Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s free weekly newsletter here.