The Paradies Shops, LLC faces a proposed class action over an October 2020 data breach that reportedly compromised the personal information of more than 76,000 current and former employees.
The 51-page case claims the defendant, who operates 850 stores and 170 restaurants and bars in more than 100 airports, has failed to properly safeguard employees’ information and prevent its unauthorized disclosure. According to the suit, the Paradies Shops’ cybersecurity failures allowed ransomware group REvil to access current and former employees’ names and Social Security numbers through the defendant’s internal administrative system between October 8 and 13, 2020.
The case alleges the Paradies Shops could have easily prevented the data breach by employing reasonable data security systems and protocols, and mitigated its effects by timely notifying those affected. Instead, the suit says, the defendant waited until late June 2021 to begin sending notice to current and former employees whose information was compromised and who remain at a heightened risk of identity theft as a result.
“As a result of this delayed response, Plaintiff and Class Members had no idea their [personally identifiable information] had been compromised, and that they were, and continue to be, at significant risk of identity theft and various other forms of personal, social, and financial harm,” the complaint reads. “The risk will remain for their respective lifetimes.”
Per the lawsuit, the October 2020 data breach, which first came to light around October 14, when reports of the incident began surfacing on the Internet, was a direct result of the defendant’s failure to follow reasonable cybersecurity practices, including those recommended by the FBI, the U.S. Cybersecurity & Infrastructure Security Agency, and the Microsoft Threat Protection Intelligence Team. The complaint claims the breach could have been prevented had the Paradies Shops encrypted the sensitive files stored on its servers or destroyed old data from former employees.
The suit further alleges that although the Paradies Shops notified consumers and state attorneys general in late June 2021 that it had experienced a data breach, the defendant has failed to disclose “details of the root cause of the Data Breach, the vulnerabilities exploited, and the remedial measures undertaken to ensure a breach does not occur again.”
The case looks to represent U.S. residents whose personally identifiable information was contained in records that were exfiltrated during the October 2020 ransomware attack that was disclosed to those affected around June 30, 2021.
Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s newsletter here.