FocusIT 2022 Data Breach Affecting Over 147K Individuals Sparks Class Action

New to ClassAction.org? Read our Newswire Disclaimer

FocusIT faces a proposed class action over its alleged failure to prevent a two-month data breach in 2022 that compromised the personal information of 147,799 current and former customers, applicants and accountholders of the banks and financial institutions it services.

The 34-page lawsuit claims unauthorized actors gained “unfettered” access to consumers’ personal information stored on FocusIT’s network from June 1 to August 3, 2022 because the financial software company, who offers mortgage and loan processing software, among other services, failed to maintain adequate cybersecurity measures. The sensitive data exposed by the cyberattack includes consumers’ names, dates of birth, addresses and Social Security numbers, the case says.

Want to stay in the loop on class actions that matter to you? Sign up for ClassAction.org’s free weekly newsletter here.

Although FocusIT promises in its privacy policy that it follows “generally accepted industry standards to protect Personal Information,” the filing contends that the company uses “outdated and insecure” computer systems that are “easy to hack.” Moreover, FocusIT failed to properly encrypt the personal information held on its servers, despite repeated warnings to safeguard sensitive data in light of an increase in cyberattacks in recent years, the complaint says.

The suit further claims that FocusIT was unable to detect the breach because it failed to adequately monitor and log network traffic, file access and file modifications. The complaint contends that FocusIT also failed to maintain proper staffing and processes for responding to and preventing network intrusions. 

According to the case, unknown cybercriminals had access to the company’s system for two months until the Texas Financial Crimes Intelligence Center discovered the breach on August 2. The filing states that FocusIT then waited nearly two months to notify victims in a “bare-bones” letter sent on September 28. The letter omitted several details about the nature of the breach, although an investigation by cybersecurity forensics firm Arete found the attack may have resulted from a phishing email that provided access to a FocusIT employee’s login credentials, the suit says.

“Plaintiff and the Class Members remain, even today, in the dark regarding what particular data was stolen, the phishing attack used, and what steps are being taken, if any, to secure their [personally identifiable information] going forward,” the filing reads. “Plaintiff and Class Members are left to speculate as to the full impact of the Data Breach and how exactly Defendant intends to enhance its information security systems and monitoring capabilities so as to prevent further breaches.”

The lawsuit argues that the year of credit monitoring FocusIT has offered data breach victims is “insufficient” given that affected individuals now face a “lifetime risk” of identity theft.

The plaintiff, an Oklahoma resident associated with one of FocusIT’s customers, says that since the incident occurred, an unauthorized user has used his personal information to log into his Verizon account and purchase a total of four iPhones.

“As a result of this fraud, [the plaintiff] suffered financial damages and was required to use his free time to mitigate the effects of the identity theft,” the case states. “Further, he was unable to obtain a new phone for a month because of these fraudulent purchases.”

The plaintiff also claims to have received an increase in spam phone calls, texts, emails and targeted advertisements since his personal information was disclosed during the breach.

The lawsuit looks to represent anyone in the United States whose personally identifiable information was compromised in the data breach announced by FocusIT on September 28, 2022.

Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s free weekly newsletter here.