TIAA is the latest organization to be sued for exposing its former and current employees to a data breach involving the MOVEit file-transfer software.
Former TIAA employee and current retiree Andre Lopez filed the class-action lawsuit against the financial services giant this week in the U.S. District Court for the Southern District of New York. He accuses TIAA of unproperly securing and safeguarding his personally identifiable information (PII), including his name, Social Security number, gender, date of birth, and physical address, along with 2.3 million other retirees, pension holders, and other financial customers.
TIAA had formerly hired PBI, a vendor that provides search tools to financial services institutions, who also uses PSC, a software company that offers storage and transfer services of client data. PBI had utilized PSC’s MOVEit transfer file service to move Lopez’s and other class members’ personal information.
The complaint states that in undertaking this responsibility, TIAA and PBI “were both obligated to only hire vendors who maintain adequate data security practices and PSC is obligated to ensure that their file transfer systems—like MOVEit—are secure.”
The cyber breach involving PSC’s MOVEit transfer software occurred on May 29 and 30, when an unauthorized “cybercriminal” accessed and exploited the software. The third-party had then downloaded and exported the plaintiff’s and class members’ personally identifiable information.
“This Data Breach was likely perpetrated by a well-known cybergang called Clop,” the suit states. “The modus operandi of a cybergang like Clop is to offer for sale [on the dark web] unencrypted, unredacted private information like the PII of Plaintiff and the Class members. Thus, the Plaintiff and Class members are in imminent harm of identity theft and other identity-related crimes.”
After the breach occurred, Lopez claims TIAA never notified individuals regarding the cyberattack. Instead, Lopez says PBI disclosed the cyber incident to victims six weeks after the breach occurred, on July 14. Because PBI was a third-party company that class members had never heard of, many trashed the notice instead of keeping it, and therefore remain unaware of the breach, Lopez states in the suit.
Additionally, remediation of 24 months of identity theft protection for the victims of the data breach was only offered by PBI. TIAA, Lopez states, never provided any sort of remedy.
“By continuing to drag its feet, Defendant allowed cybercriminals to get a running start on harms to Plaintiff and the Class members, rather than accepting responsibility for Defendant’s failures within their data storage, data systems and relevant cybersecurity apparatus. While Defendant could have given Plaintiff and the Class members the ability to start acting [like imposing credit freezes] to protect themselves, Defendant continues to make a conscious decision not to do so,” the complaint reads.
On behalf of himself and other class members, Lopez seeks restitution, actual damages, nominal damages, statutory damages, injunctive relief, and disgorgement of profits.
SEE ALSO: