Automation Personnel Services Hit with Class Action Over Nov. 2020 Data Breach

New to ClassAction.org? Read our Newswire Disclaimer

Automation Personnel Services, Inc. is on the receiving end of a proposed class action centered on a November 2020 data breach that reportedly compromised the personal information of nearly 300,000 individuals.

The 41-page lawsuit claims the defendant, a staffing agency who works with employers in the light industrial, technical, contact center, manufacturing, skilled labor and automotive industries, “intentionally, willfully, recklessly, or negligently” failed to protect the personally identifiable information (PII) of those who obtained temporary employment through the company. As a result, workers’ names, Social Security numbers and financial account information were compromised in the breach and made “freely available” to users of a “popular hacker forum,” the case alleges.

The complaint, filed June 23 in Alabama federal court, claims the breach could have been prevented had Automation Personnel Services taken reasonable steps to secure and encrypt workers’ data or destroy “decade-old” data from those who obtained work through the company many years ago. Per the case, those whose information was compromised in the breach now face a lifetime risk of identity theft and fraud.

“The ramifications of Defendant’s failure to keep secure the PII of Plaintiffs and Class Members are long lasting and severe,” the complaint scathes. “Once PII is stolen, particularly Social Security numbers, fraudulent use of that information and damage to victims may continue for years.”

The defendant discovered in late-November 2020  “suspicious activity impacting the operability of certain systems” on which the personal information of over 299,000 individuals who had obtained employment through the company was stored, the suit says. That December, reports began to surface that an archive of 440 GB of the defendant’s data had been “leaked on a popular hacker platform” after Automation Personnel had refused to pay a ransom to cybercriminals, according to the case. The lawsuit posits that since the data had been “freely available” on the forum, it’s likely that multiple unauthorized parties had access to the information.

According to the suit, the defendant ignored and failed to implement cybersecurity measures recommended by the FBI and U.S. Cybersecurity & Infrastructure Security Agency and industry experts such as the Microsoft Threat Protection Intelligence Team.

“Given that Defendant was storing the PII of more than 299,000 individuals, Defendant could and should have implemented all of the above measures to prevent and detect ransomware attacks,” the lawsuit contests.

Per the case, Automation Personnel waited until roughly four months after the data breach before notifying state attorneys general and those whose information was affected. Nevertheless, the defendant, the lawsuit says, has intentionally failed to disclose the root cause of the breach, the vulnerabilities exploited by cybercriminals, and the measures being taken to ensure another breach does not occur. The suit claims the damage caused by the initial breach was compounded by the company’s failure to timely notify those affected and disclose material details about the incident.

“As a result of this delayed response, Plaintiffs and Class Members had no idea their PII had been compromised, and that they were, and continue to be, at significant risk of identity theft and various other forms of personal, social, and financial harm,” the lawsuit relays. “The risk will remain for their respective lifetimes.”

The lawsuit looks to represent anyone whose personally identifiable information was accessed during the incident referenced in the defendant’s Notice of Data Breach that was sent on or around March 17, 2021.

Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s newsletter here.