‘Cybersecurity Expert’ Entrust Corporation Failed to Prevent 2022 Data Breach, Class Action Claims

New to ClassAction.org? Read our Newswire Disclaimer

A proposed class action alleges self-described “cybersecurity expert” Entrust Corporation failed to prevent a June 2022 data breach that compromised employees’ and clients’ personal and health information.

Want to stay in the loop on class actions that matter to you? Sign up for ClassAction.org’s free weekly newsletter here.

The 38-page case claims the Minnesota-based cybersecurity service provider fell victim to a ransomware attack on June 18 of last year that allowed notorious “ransomware gang” LockBit to access the company’s back-office system housing the defendant’s client and employee data.

Although Entrust, which purports to secure transactions, identities and data on behalf of companies and government entities, positions itself as a global leader in the cybersecurity industry, the attack stemmed from its failure to maintain adequate data security measures to safeguard the information stored on its computer network, the filing alleges.

According to the case, the cybercriminals were able to steal files containing sensitive data provided to Entrust by clients and employees, including names, dates of birth, employee identification numbers, bank account and routing numbers, and Social Security, driver’s license and health information.

“The full scope of the Data Breach, however, is either not known or has not been publicly disclosed,” the complaint reads. “In fact, Entrust appears to still be identifying which of its employees were affected by the Data Breach.”

The lawsuit says that in August 2022, LockBit published the stolen information on a dedicated leak page until the site was shut down, and the cybercriminals reportedly issued a ransom demand to Entrust, but, according to the suit, the company has offered no information about this request.

Moreover, Entrust informed affected individuals of the data breach six months after the incident had occurred, preventing them from taking steps to timely mitigate any associated risks or harm, the case relays. And as if its December 2022 notice wasn’t “unreasonably delayed” enough, the lawsuit says, Entrust waited even longer to notify hundreds of thousands of other victims.

Per the case, Entrust’s negligence has subjected affected individuals to a “present and continuing” risk of identity theft and fraud that may not materialize for years to come as their data gets trafficked on the dark web.

“In addition to out-of-pocket expenses that can exceed thousands of dollars for the victim of new account identity theft, and the emotional toll identity theft can take, some victims have to spend a considerable time repairing the damage caused by the theft of their Sensitive Information,” the suit reads.

The plaintiff, a former Entrust employee, claims to have experienced since the breach suspicious activity on his PayPal account and Wells Fargo bank account, as well as a “noticeable” increase in spam texts and phone calls.

The complaint explains that the plaintiff, along with other Entrust employees and clients, reasonably entrusted the company with his sensitive data, especially since it claims to be “a pioneer in the business of securing transactions” and “actively involved in defining industry standards and best practices.” Entrust has gone so far as to say that the “world’s most entrusted organizations trust us,” and it frequently publishes cybersecurity-related presentations “stressing the importance of maintaining adequate data security and offering advice on how to keep data safe and prevent a data breach,” the suit explains.

Despite these representations, the filing contends, Entrust’s inadequate cybersecurity practices fell short of federal and state data privacy standards, including safeguards for protecting confidential health information mandated by the Health Insurance Portability and Accountability Act (HIPAA).

The lawsuit looks to represent anyone in the United States whose sensitive information was compromised in the data breach disclosed by Entrust in July 2022.

Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s free weekly newsletter here.