Dive Brief:
- Sam’s Club and vendor Cleo Communications failed to take reasonable security measures to prevent a data breach that resulted in the unauthorized access and disclosure of customers’ and employees’ sensitive personal data, a former Sam’s Club employee alleged in a class-action lawsuit April 21.
- According to the complaint in Pass v. Cleo Communications US, LLC, the two companies collected personally identifiable information but did not encrypt it or delete it when it was no longer needed. The plaintiff further claimed the defendants willfully, recklessly or negligently failed to ensure their data systems were protected from unauthorized intrusion and failed to provide prompt and accurate notice of the breach.
- The plaintiff said she took reasonable efforts to mitigate the breach’s effects but alleged actual injury as a result of the breach. She sued the two companies for negligence, breach of implied contract and unjust enrichment and demanded a jury trial. Sam’s Club said the claims had no merit and that it would “aggressively defend” against the litigation. Cleo did not immediately respond to a request for comment.
Dive Insight:
The lawsuit comes nearly a month after Sam’s Club confirmed to Cybersecurity Dive that it had been investigating a potential cyber attack. The company had been named by cybercrime organization Clop in a list of organizations that Clop said it targeted by exploiting vulnerabilities in Cleo’s file transfer software.
News of a critical vulnerability affecting Cleo’s file transfer software first surfaced last year, and researchers found that a patch issued by the company after initial reports of the vulnerability failed to provide adequate protection, according to Cybersecurity Dive. Cleo issued a subsequent patch in December.
Aside from Sam’s Club, others affected by the Cleo breach include food manufacturer WK Kellogg Co., which confirmed earlier this month that at least one employee’s sensitive data had been affected. Supply chain management company Blue Yonder said in January it was similarly investigating potential fallout from the Cleo hack, Cybersecurity Dive reported. Customers of car rental service Hertz filed two similar class-action complaints, one in Florida and one in Illinois, alleging damages resulting from the Cleo breach.
Employers and HR vendors have become routine targets of cyber criminals in recent years. In February, a data breach at third-party employment screening solutions provider DISA Global Solutions, Inc., affected more than 3.3 million individuals. DISA said it had contained the incident and would provide access to a free year of credit monitoring and identity restoration services to affected parties.
Such breaches have led to litigation including class-action lawsuits. One nonprofit employer association failed to dodge class-action litigation related to a hack that allegedly exposed workers’ data. After software provider UKG’s Kronos Private Cloud product suffered a ransomware attack in 2021, employers such as Cargill shelled out millions to settle subsequent wage-and-hour lawsuits.
HR data is valuable to criminals on the dark web and can be vulnerable to theft not only when it is being stored by an organization, but also when members of the organization export the data or use it to run reports, sources previously told HR Dive. CHROs can lead efforts to prepare employees to prevent data from being lost to phishing schemes and similar methods.