Data breaches have become serious hazards for companies who store information and for their employees and customers. It seems therefore all the more maddening when data breaches occur not because of sophisticated hacking techniques but because of gullibility to phishing, as the complaint for this class action charges in the case of the data breach at ABM Industries, Inc.
The Nationwide Class for this action is all persons whose information was in possession of ABM Industries or any of its subsidiaries at any point during the data breach. An Illinois subclass has also been proposed.
This is not the first time ABM has experienced a cyber-attack. The complaint claims that its IT systems were attacked in 2011, exposing employees names and social security numbers. Now, at sometime on or before August 1, 2017, the company was targeted again, this time through the low-tech means of a phishing attack.
A phishing attack occurs when hackers send fraudulent e-mails that purport to be from responsible or reputable sources asking for files of data on individuals, passwords to systems, or other protected information. The low-tech, unsophisticated attack succeeds when the e-mail recipient believes the identity of the sender and simply hands over access.
According to the complaint, ABM “was not able to detect, prevent, or respond to the attack in a reasonable manner or in a reasonable time,” allowing information to be compromised instead.
Unfortunately, ABM stores biometric identifiers or biometric information of its employees, so this was also exposed to unauthorized persons.
To make matters worse, the company did not send out notice to employees whose information had been compromised until seven months after it discovered the attack. The complaint cites a letter sent on March 5, 2018 as first informing employees that their information had been exposed.
The complaint claims that ABM is at fault for “failure to implement a reasonable cybersecurity protocol, e.g., adequate multi-factor authentication and email screening technology…” The complaint claims that the company should have been alerted to the need for strong cybersecurity by the 2011 attack and should have informed employees promptly when their information was compromised. This prevented them from taking what measures they could to detect and mitigate any identity theft.
According to the March letter, the complaint says, ABM is “still unaware of the precise nature of the Data Breach and is ‘working diligently with third-party forensic investigators to determine what happened.’” Over seven months after the occurrence of the attack, this is not a comforting statement.
The complaint alleges negligence, breach of contract, and violations of New York’s General Business Law, among other things.