TD Ameritrade is facing yet another lawsuit linked to the industry-wide data breach involving the MOVEit transfer software.
Filed in the U.S. District Court for the District of Nebraska, plaintiff Fortuno Jeanfort states he and other class members have experienced, and will continue to incur, damages in the form of identity theft, attempted identity theft, lost time, expenses, increased risk of harm, damaged credit, and more as a result of TD Ameritrade’s “unlawful, willfull, and wanton failure to protect the personal identifiable information (PII) of approximately 61,160 individuals.”
Furthermore, the suits states that Jeanfort and class members have experienced fraudulent credit card charges since the breach and now share a lifetime risk of identity theft.
Like many other financial institutions, TD Ameritrade had previously worked with vendors who utilized the MOVEit transfer software to move personal and sensitive information.
The plaintiffs allege that TD Ameritrade betrayed their trust by failing to safeguard and protect their personal information, thereby “enabling cybercriminals to steal such valuable and sensitive information,” and argue that the breach was foreseeable and preventable. According to the suit, Jeanfort and class members accuse TD Ameritrade of failing to inquire, oversee, and monitor MOVEit’s data security before using it to store and transfer clients’ personal and sensitive information.
“Defendant was negligent and did not use or implement reasonable security procedures, oversight and practices appropriate to the nature of the sensitive, unencrypted information it was maintaining for Plaintiff and Class Members, causing the exposure of PII for Plaintiff and Class Members,” the suit states. “Because Defendant had a duty to protect Plaintiff’s and Class Members’ PII, Defendant should have known through readily available and accessible information about potential threats for the unauthorized exfiltration and misuse of such information.”
This readily and accessible information included cybersecurity protocols published in the NIST Cybersecurity Framework, the Data Breach and Encryption Handbook, the United States Cybersecurity & Infrastructure Security Agency, and other resources.
Additionally, the suit accuses TD Ameritrade of failing to inform its clients of the breach in a timely manner, noting that while TD Ameritrade learned of the cyberattack on or around May 30, victims were not notified until August 3.
Since being notified of the breach, plaintiffs say they have not received details of the root cause behind the data hack, the vulnerabilities exploited, or the remedial measures that will be taken to ensure a breach would not occur again.
Plaintiffs are seeking compensatory damages, punitive damages, attorneys’ fees, expenses, costs, and other relief.
The class action suit comes just days after TD Ameritrade was named in another complaint with Charles Schwab, also connected to the MOVEit data breach. Other organizations who are being sued for negligence related to the hack include Prudential, TIAA, and New York Life.
The massive hack on the MOVEit transfer software occurred at the end of May, when a ransomware cybergang called Cl0P accessed and exploited the software through a vulnerability in the system. The hackers downloaded, exported, and stole personal information from 40 million victims, including Social Security numbers, mailing addresses, and more.
SEE ALSO:
- Prudential, Charles Schwab, TD Ameritrade Named in Latest MOVEit Suits
- TIAA Sued For MOVEit Cyber Hack
- New York Life Data Stolen in MOVEit Breach
Amanda Umpierrez is the Managing Editor of 401(k) Specialist magazine. She is a financial services reporter with over six years of experience and a passion for telling stories and reporting news. Amanda received her degree in journalism and government and politics at St. John’s University. She is originally from Queens, New York, but now resides in Denver, Colorado with her partner. In her free time, Amanda enjoys running, cooking, and watching the latest drama show.