Navistar Data Breach: Employee Alleges Hack Was ‘Eminently Avoidable’

New to ClassAction.org? Read our Newswire Disclaimer

A Navistar employee alleges in a proposed class action that a May 2021 data breach in which the sensitive personal and health information of more than 63,000 current and former workers was exposed could have been avoided entirely.

The 68-page case, at least the second filed over the data breach, alleges Navistar, one of the nation’s largest commercial vehicle and parts manufacturers and distributors, failed to invest in adequate data security and thus allowed “malevolent actors” to access and exfiltrate highly sensitive personal and health information belonging to the company’s current and former employees. The suit argues that Navistar’s subsequent delay in disclosing the breach, despite first acknowledging its existence in a June SEC filing, “virtually ensured” that those responsible for the hack could “monetize, misuse and/or disseminate” the stolen information before victims could take affirmative steps to protect their identities. 

“Now, Plaintiff and similarly situated persons will for years suffer the significant and concrete risk that their identities will be (or already has [have] been) misused—a virtual certainty given that Plaintiff’s and the Class’ [personally identifiable information] and/or [personal health information] were being sold on the dark web long before Navistar notified Class members of the data breach,” the complaint says, calling the cyberattack “eminently avoidable.” 

According to the filing, the data stolen from Navistar was posted for sale on a “leaked data marketplace.” The lawsuit states that the hackers who put the data up for sale indicated in their post that Navistar had “completely ignored [their] warnings,” which the suit says suggested that the hack was part of a ransomware attack. 

The suit charges that the poster of the stolen data said that rather than prevent the release of current and former employees’ information, Navistar “ignored the hackers (and their likely ransom demands)” before the information was posted for sale online. 

“Navistar, in other words, had ample opportunity to safeguard Plaintiff’s and the Class’ data even after its systems were breached, but refused to do so, thereby placing its own financial interest above that of the thousands of individuals whose [personally identifiable information] and [personal health information] it was duty-bound to protect,” the complaint argues. 

The plaintiff, who works at Navistar’s Melrose Park, Illinois assembly plant, claims to have first received notice of the May 2021 data breach in a letter dated July 6, 2021 and titled “Notice of Data Breach. The suit claims that although the letter was dated July 6, the plaintiff did not receive the notice until weeks later. According to the complaint, Navistar currently has approximately 12,000 workers worldwide, including thousands in the U.S. 

Per the case, the first notice sent by Navistar revealed that the plaintiff’s name, address and Social Security number had been accessed by hackers. A second notice relayed that additional information pertaining to the plaintiff’s participation in the Navistar Health Plan and retiree health benefit and life insurance plan was also compromised, the suit says. 

The lawsuit stresses that the Navistar data breach has already required the plaintiff to expend significant time and effort to protect himself and his family from potential consequences of the incident, including paying upward of $400 out-of-pocket for a suite of tools to monitor and protect against identity theft. Upon enrolling in the program, the plaintiff was informed that his personal and/or health information was detected on the dark web, according to the complaint. 

Although some reports have said the Navistar cyberattack lasted more than a month, the company, to date, has not acknowledged publicly the length of time that the unauthorized individuals had access to its computer systems, the case says. 

Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s free weekly newsletter here.