Philadelphia Inquirer Data Breach Lawsuit Says Paper Waited More Than a Year to Disclose Massive Cyberattack

New to ClassAction.org? Read our Newswire Disclaimer

The Philadelphia Inquirer faces a proposed class action lawsuit that says the daily newspaper waited more than a year to disclose it had lost control of more than 25,000 individuals’ sensitive personal information in a May 2023 data breach.

Want to stay in the loop on class actions that matter to you? Sign up for ClassAction.org’s free weekly newsletter here.

The 58-page Philadelphia Inquirer data breach lawsuit relays that although the publication purportedly learned of the cybersecurity incident around May 11, 2023, it did not begin to send data breach notices to victims until around April 29, 2024. According to the lawsuit, current and former Philadelphia Inquirer subscribers’ and employees’ Social Security numbers, financial details, account passwords and/or healthcare information were among the data accessed without authorization in the incident.

The privacy lawsuit alleges the Philadelphia Inquirer, which reaches more than 350,000 people daily throughout Pennsylvania, Delaware, New Jersey and Maryland, failed to have in place basic cybersecurity measures and failed to so much as encrypt or redact proposed class members’ sensitive data. Per the case, the publication retains current and former employees’ and subscribers’ data “for at least many years and even after the relationship has ended.”

“This unencrypted, unredacted Private Information was compromised due to Defendant’s negligent and/or careless acts and omissions and their utter failure to protect its employees’ and subscribers’ sensitive data,” the case alleges.

The Philadelphia Inquirer represented to employees and subscribers that their private information would be kept safe and confidential and be deleted after it was no longer necessary to maintain, the filing says. Moreover, the publication had a legal duty to safeguard proposed class members’ data from involuntary disclosure to unauthorized parties, the suit adds.

In its April 2024 data breach notice, which came in the form of an article in the paper, the Inquirer disclosed that around 25,500 current and former subscribers, current and former employees, and employees’ family members on the company health plan may have had their personal data exposed in a cyberattack. The May 2023 data breach was detected when cybersecurity vendor Cynet alerted the Inquirer to “suspicious network activity,” with some of the defendant’s publishing systems impacted thereafter, the lawsuit shares.

Per the Inquirer data breach notice, a ransomware group called Cuba claimed responsibility for the cyberattack and posted online what it claimed were the stolen Philadelphia Inquirer files, though the group “removed the claim from its site on the dark web” a day later.

According to the case, the Philadelphia Inquirer has not disclosed the root cause of the data breach or whether any ransom was paid to protect the stolen data. Further, though the publication acknowledged that news organizations have been targeted frequently in recent years by malware attacks, it nevertheless did not have appropriate cybersecurity measures in place, the lawsuit stresses.

“Defendant also failed to notify the victims of this Data Breach of its occurrence until nearly a full year after it transpired, leaving Defendant’s employees and subscribers unknowingly vulnerable to fraud and identity theft for nearly twelve whole months.”

The Philadelphia Inquirer data breach lawsuit looks to cover all persons in the United States whose private information was maintained on the publication’s computer systems that were compromised in the data breach experienced by the Philadelphia Inquirer in May 2023.

Are you owed unclaimed settlement money? Check out our class action rebates page full of open class action settlements.