National Western Hit with Class Action Over August 2020 Data Breach

New to ClassAction.org? Read our Newswire Disclaimer

National Western Life Insurance Company and National Western Life Group, Inc. face a proposed class action over an August 2020 data breach that reportedly affected thousands of customers.

According to the 43-page suit, the breach was a direct result of National Western maintaining customers’ “highly sensitive” personal information in “a reckless manner” and “condition vulnerable to cyberattacks of this type.” Per the case, the insurer’s failure to protect the data with which it was entrusted and detect the cyberattack in a timely manner has exposed those affected to a heightened risk of identity theft and fraud now that their information is “in the hands of data thieves.”

The defendants discovered on August 15, 2020 a malware incident impacting certain National Western computer systems, the suit begins. According to the case, known cybercriminals gained access to the company’s systems on August 7 or earlier and had already installed malicious software by the time the breach was discovered. The lawsuit alleges the malware “ground to a halt” the defendants’ systems and encrypted internal files while locking out employees’ access to them.

The case goes on to state that an independent data security research team identified on August 18 an online post in which the operators of REvil ransomware claimed to have breached National Western’s systems and stolen 656 gigabytes of confidential data. The data included customers’ full names, dates of birth, dates of death, state of residence, Social Security numbers, life insurance or annuity policy numbers, policy termination dates and financial account information, according to the suit. An August 23 post by the hackers included company emails and indicated that the defendants had not managed to unencrypt their files, the lawsuit says.

Per the suit, the REvil ransomware operators posted messages online indicating that they had been contacted by a representative of a competing company “to compromise Defendants’ networks” in exchange for “a good amount to satisfy our work in the National Western Life Infrastructure.” The targeted nature of the cyberattack was further evidenced by the compromise and theft of the passports of National Western’s CEO’s family members, the case adds.

The lawsuit alleges that despite learning of the security incident on August 15, the defendants failed to timely respond to the breach. While the REvil ransomware operators were contacting National Western customers directly to seek ransom payments for stolen data, the defendants only began providing notice of the breach to affected individuals in mid-January 2021, much later than required by state data breach statutes, the suit alleges.

Moreover, the initial data breach notices contained no information about the types of personal data compromised in the incident, according to the case.

Per the suit, had National Western complied with Federal Trade Commission guidelines and industry standards with respect to data security, the breach may have been prevented or mitigated.

“As the result of computer systems in dire need of security upgrading and inadequate procedures for handling cybersecurity threats, Defendants negligently and unlawfully failed to safeguard Plaintiff’s and Class Members’ Private Information,” the complaint attests.

The case claims National Western breached its contracts with customers and its fiduciary duty to protect their sensitive information.

Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s newsletter here.