Consumer Electronics Daily was a Warren News publication.
'Outdated' Computer Systems

Plaintiff Says Thieves Tried to Open 2 Bank Accounts in His Name After Data Breach

Plaintiff Michael Harris became a victim of identity theft when unauthorized individuals attempted to open bank accounts in his name, said a Tuesday negligence class action (1:23-cv-11816) in U.S. District Court for Massachusetts in Boston. The suit names Progress Software Corp. (PSC) for a May data breach involving its MOVEit file transfer software.

Harris’ personally identifiable information (PII) was compromised in the data breach, alleged the complaint. Harris’ bank, Franklin Mint Federal Credit Union (FMFCU), used MOVEit and transferred his PII to PSC, said the complaint. The Pennsylvania resident first learned of the breach when he received a notice from the defendant July 24, and “shortly after and as a result of” the breach, Harris experienced an increase in spam and suspicious phone calls, texts and emails.

In the days and weeks following, two attempts were made by unauthorized individuals to open bank accounts in his name, he said. Harris spent a “significant amount of time” responding to the breach and will continue to spend valuable time he would have spent on other activities researching the breach, reviewing financial statements and monitoring his credit information, he said.

Cybercriminals can cross-reference two sources of PII to marry unregulated data available elsewhere to criminally stolen data with “an astonishingly complete scope and degree of accuracy in order to assemble complete dossiers, known as ‘Fullz’ packages on individuals," the complaint said. With Fullz packages, stolen PII from the data breach can easily be used to link and identify it to Harris’ and class members’ phone numbers, email addresses, and other unregulated sources and identifiers.

Even if certain information such as emails, phone numbers or credit card numbers may not be included in the PII stolen by the cybercriminals in the data breach, “criminals can easily create a Fullz package and sell it at a higher price to unscrupulous operators and criminals (such as illegal and scam telemarketers) over and over,” the complaint said. “That is exactly what is happening to Plaintiff and members of the proposed Class,” it said.

PSC’s use of “outdated and insecure computer systems and software that are easy to hack, and its failure to maintain adequate security measures and an up-to-date technology security strategy, demonstrates a willful and conscious disregard for privacy,” said the complaint. The company “failed to adequately protect the PII” of Harris and the “and potentially thousands of members of the proposed Class to unscrupulous operators, con artists, and outright criminals,” it said.

PSC “largely put the burden on Plaintiff and Class Members to take measures to protect themselves,” urging those affected to “remain vigilant by reviewing your account statements and credit reports closely,” order a free credit report and contact the FTC or state attorney general’s office if they believe they were a victim of identity theft, the complaint said.

Harris asserts claims of negligence, negligence per se and unjust enrichment. He seeks, among other requirements, orders that PSC protect, delete and purge sensitive information; implement and maintain a comprehensive data security program to protect the confidentiality of consumers’ PII; and prohibit PSC from maintaining class members’ PII on a cloud-based database until proper safeguards are implemented. He seeks awards of actual, nominal, consequential and punitive damages, plus attorney’s fees and legal costs.

A PSC spokesperson emailed Friday: "We do not comment on pending litigation as our focus remains on working closely with customers so they can take the steps needed to further harden their environments, including applying the patches we have developed."