Sysco Corporation Failed to Protect Employee Info During 2023 Data Breach, Class Actions Allege [UPDATE]

New to ClassAction.org? Read our Newswire Disclaimer

Sysco Corporation faces at least three proposed class actions in the wake of a data breach the global food distributor announced earlier this month.

Want to stay in the loop on class actions that matter to you? Sign up for ClassAction.org’s free weekly newsletter here.

One lawsuit, filed on May 17 in Texas, says highly sensitive data belonging to at least 71,000 current and former Sysco employees was exposed after cybercriminals hacked the defendant’s network on or around January 14, 2023. According to the complaint, Sysco did not discover it had been hacked until March 5.

The case reports that the unencrypted information compromised in the breach included employees’ names, dates of birth, phone numbers, addresses, email addresses., passport numbers, driver’s license numbers, federal/state identification card numbers, tax identification numbers, Social Security numbers and/or financial account information.

A lawsuit filed on May 18 attributes the “massive and preventable” cyberattack to Sysco’s “inadequately protected” network servers, where the company allegedly kept workers’ private information unprotected.

“Defendant could have prevented this Data Breach by properly securing and encrypting the folders, files, and or data fields containing the [personally identifiable information] of Plaintiff and Class Members,” one case reads. “Alternatively, Defendant could have destroyed the data it no longer had a reasonable need to maintain or only stored data in an Internet-accessible environment when there was a reasonable need to do so.”

The cases further argue that Sysco should have heeded “repeated” warnings urging companies to secure sensitive data amid a substantial increase in cyberattacks in recent years.

A third lawsuit, also filed on May 17, claims that Sysco knew or should have known that it would be targeted by cybercriminals who seek to steal and monetize employees’ valuable data.

“They do this by selling the spoils of their cyberattacks on the black market to identity thieves who desire to extort and harass victims or to take over victims’ identities in order to engage in illegal financial transactions under the victims’ names,” the case says, claiming that impacted individuals face an “imminent, immediate, and continuing” risk of identity theft and other forms of fraud.

The filings say that Sysco data breach victims remained unaware of these ramifications for four months until the company alerted them to the incident in a May 5 notice letter.

Sysco had a legal duty to maintain employees’ sensitive information in accordance with industry standards relating to data security, including basic encryption techniques, the suits allege.

The lawsuits look to represent anyone within the United States whose personally identifiable information was exposed to unauthorized third parties as a result of the data breach discovered by Sysco Corporation on March 5, 2023.

Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s free weekly newsletter here.