Spear Wilderman Facing Class Action Over 2021 Data Breach

New to ClassAction.org? Read our Newswire Disclaimer

A proposed class action claims negligence on the part of Spear Wilderman, P.C. resulted in a “foreseeable” 2021 data breach that compromised the personal information of at least tens of thousands of people.

Want to stay in the loop on class actions that matter to you? Sign up for ClassAction.org’s free weekly newsletter here.

The 44-page case says that Spear Wilderman, a union-side labor law firm, discovered on May 7, 2021 that an unauthorized party had infiltrated its systems. The lawsuit states that those who were impacted by the cyberattack—current and former clients and certain parties or witnesses to legal matters in which the firm was involved—had the following information, and potentially more, exposed during the breach:

• Names;
• Addresses;
• Dates of birth;
• Employment positions;
• Pay amounts;
• Driver’s license numbers;
• Social Security numbers;
• Account numbers;
• Credit card numbers;
• Routing numbers;
• Account balances; and/or
• Account statuses.

According to the lawsuit, cybercriminals were able to “easily” hack Spear Wilderman’s network because the law firm stored personal information in a database that could be accessed without a password or multifactor authentication. 

The complaint alleges that victims’ unencrypted information has already been listed for sale on the dark web, exposing them to a “substantial and imminent” risk of identity theft and fraud. The plaintiff, a Pennsylvania resident, says that money was fraudulently withdrawn from his bank account using his name, Social Security number and account information nearly two years after the data breach occurred.

“Given the theft of information that is largely static— like Social Security numbers—this risk will remain with Plaintiff and Class Members for the rest of their lives,” the filing emphasizes.

To make matters worse, the case says, Spear Wilderman waited until November 16, 2022 to inform affected individuals that their information had been stolen, roughly 18 months after the cyberattack was purportedly discovered by the firm.

Per the suit, the law firm knew or should have known that it had a legal duty to properly safeguard consumers’ data from unauthorized access yet nevertheless failed to implement so much as “basic” cybersecurity measures that could have prevented the cyberattack, such as password protection, encryption or multifactor authentication.

The lawsuit seeks to represent anyone whose private information was actually or potentially accessed or acquired during the data breach event that is the subject of the data breach notice that Spear Wilderman, P.C. published to the plaintiff and other class members on or around November 16, 2022.

Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s free weekly newsletter here.