Class Action Alleges SHI International Failed to Prevent 2022 Data Breach

New to ClassAction.org? Read our Newswire Disclaimer

SHI International faces a proposed class action over its alleged failure to properly safeguard employees’ and job applicants’ sensitive information from a “foreseeable” data breach detected in July 2022.

The 43-page case claims that SHI, an international IT provider and employer, discovered on July 4 of this year that cybercriminals had gained access to its computer systems. The incident compromised the personal data of at least 11,000 current and former employees and applicants, including their full names; Social Security numbers; home addresses; job titles; dates of employment; salaries; tax, banking and loan information; COVID-19 vaccination status and dates of COVID-19 illness, the lawsuit says.

Want to stay in the loop on class actions that matter to you? Sign up for ClassAction.org’s free weekly newsletter here.

Per the complaint, the malware attack that sparked the incident was a direct result of SHI’s failure to implement adequate cybersecurity measures. The case charges that SHI did not properly encrypt its employees’ data and failed to comply with Federal Trade Commission guidelines and industry best practices for maintaining sensitive information. Instead, the company chose to retain employees’ private data in a “reckless manner,” the suit alleges.

The case further contends that SHI could have detected the cyberattack sooner, or prevented it entirely, had it properly monitored its computer network. SHI’s alleged negligence runs contrary to promises made on its website that it offers “expert services” to protect employees “as cybersecurity threats and the regulatory landscape change,” the lawsuit relays.

“… SHI made these promises in, among other things, its privacy notices that are made available to employee candidates in the course of their employment enrollment process,” the case says. “Plaintiffs and the Class Members, as former and current SHI employees and employee candidates, relied on these implicit and express promises and on this sophisticated business entity to keep their sensitive Private Information confidential and securely maintained.”

According to the filing, SHI notified affected individuals of the incident in a delayed, “misleading and incomplete” letter dated July 27. The suit says that the company informed victims that cybercriminals “may” have accessed their information, even though it knew that the data had been compromised. The notice also failed to mention the nature of the compromised data, how malicious third parties were able to infiltrate SHI’s system and whether the information is still in the hands of the attackers, the complaint asserts.

The company has offered data breach victims two years of credit monitoring, which the lawsuit argues is “inadequate” given that affected individuals must guard against a lifelong risk of identity theft and other fraudulent uses of their personal information.

One plaintiff, a former SHI employee, claims that their credit card information was used to make fraudulent charges in the wake of the data breach. The second plaintiff, also a former employee, says that they have experienced an increase in spam phone calls, emails and texts.

As the case tells it, SHI should have known that its electronic records would be targeted by cybercriminals based on warnings issued by the FBI and U.S. Secret Service, as well as recent high-profile ransomware attacks against other major companies.

The lawsuit looks to represent anyone whose private information was maintained on SHI’s computer systems that were compromised in the 2022 data breach and who were sent a notice of the incident.

Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s free weekly newsletter here.