Frost & Sullivan Employee, Client Info Exposed in 2023 Data Breach, Class Action Says

New to ClassAction.org? Read our Newswire Disclaimer

Frost & Sullivan faces a proposed class action over a 2023 data breach during which employees’ and clients’ sensitive information was exposed to unauthorized access. 

Want to stay in the loop on class actions that matter to you? Sign up for ClassAction.org’s free weekly newsletter here.

According to the 38-page case, the business consulting firm’s failure to implement adequate cybersecurity measures allowed cybercriminals to hack into its computer systems “on separate occasions” between March 10 and July 8, 2023.

Although the company says in its data breach notice letter that the incident exposed names and Social Security numbers, reports have surfaced that the Akira ransomware gang has gotten its hands on a much wider range of sensitive Frost & Sullivan information, the lawsuit alleges.

Australian news site CyberDaily.au reports that Akira has likely posted over 90 gigabytes of Frost & Sullivan data on the dark web, including human resource documents, payroll data, client proposals, scans of signed service agreements, invoices and purchase orders, and wire transfer and banking details, such as credit card reports, the complaint says.

Other leaked information reportedly includes “documents detailing the bonus schemes of many of the company’s senior staff,” “employee details for more than 1,200 of the company’s 1,800 staff,” and “contact lists for external clients, such as an entire folder dedicated to senior staff at Cisco, including security contacts,” the suit relays.

The filing notes that Frost & Sullivan’s notice—which it began to send to victims on September 5, 2023—came a full 59 days after the firm claims to have detected the intrusion, on July 8.

Per the case, this delay prevented data breach victims from taking early steps to mitigate the harm caused by the exposure of their private information, such as identity theft, fraud and other criminal misuse of their data.

Moreover, “[i]t is unknown for precisely how long the cybercriminals had access to Defendant’s network before the breach was discovered,” the complaint says. “In other words, Defendant had no effective means to prevent, detect, stop, or mitigate breaches of its systems—thereby allowing cybercriminals unrestricted access to its current and former employees’ and clients’ [personally identifiable information].”

The plaintiff, a former Frost & Sullivan employee, says he remained unaware that his information had been compromised until he received word from the defendant about the incident in late November 2023. Since the cyberattack, the man has been bombarded with spam messages and phone calls, and has been forced to dedicate a significant amount of time and money to protect himself from further harm, the case contends.

The lawsuit looks to represent anyone residing in the United States whose personal information was compromised in the data breach discovered by Frost & Sullivan in July 2023, including all individuals who received notice of the breach.

Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s free weekly newsletter here.