Renewal By Andersen Data Breach Class Action Says Customer Info Was Left ‘Unsecured’ for Five Years

New to ClassAction.org? Read our Newswire Disclaimer

Renewal by Andersen and two Minnesota affiliates face a proposed class action over a 2023 data breach in which the highly sensitive information of at least thousands of current and former customers was stolen by cybercriminals. 

Want to stay in the loop on class actions that matter to you? Sign up for ClassAction.org’s free weekly newsletter here. 

The 28-page lawsuit alleges the window and door replacement company was notified by Cybernews researchers in January that an unauthorized party had gained access to its network containing sensitive customer data. Per Cybernews, nearly 300,000 unprotected, cloud-stored documents “exposed the company’s customer home addresses, contact details, and home renovation orders,” including interior and exterior pictures of consumers’ homes and their physical signatures. 

According to the case, an internal investigation revealed that Andersen’s systems were left “unsecured” between January 2018 and January 19, 2023, providing cybercriminals with “unfettered access” to current and former customers’ names, Social Security numbers, driver’s license numbers, addresses, bank account details and credit card numbers for “an appalling” five years. 

The case says that Renewal by Andersen finally began to notify data breach victims that their information had been stolen on or around May 12, four months after the company claims to have first become aware of the incident and five and a half years after the perpetrators first gained entry to its systems. 

Further, the company’s notice “obfuscated the nature of the breach and the threat it posed,” as victims were not told how many people were impacted, how the hack happened, or why it took Renewal by Andersen more than five years to discover the intrusion and four months to begin notifying victims. 

The company has still not finished sending notice to victims, the suit points out, noting that the plaintiff, a Grand Haven, Michigan resident, received no notice letter from Renewal by Andersen and was told instead by Intuit that her personal information was exposed in the data breach. 

The suit charges that Renewal by Andersen, Renewal by Andersen of the Greater Twin Cities and Renewal by Andersen of the Twin Cities failed to “reasonably secure, monitor, and maintain” the personal information with which they were entrusted. The cyber intrusion stemmed from the defendants’ “negligence and inadequate cyber security measures” and lack of “up-to-date security practices,” the filing alleges. 

According to the Maine Attorney General, nearly 13,500 people were impacted by the breach, though the lawsuit stresses that the exact number of victims is yet unknown. 

The suit says that Renewal by Andersen, a subsidiary of Andersen Corporation, the largest window and door maker in North America, has offered data breach victims two years of complimentary credit monitoring services. However, this does not adequately address the harm consumers face in the wake of the data breach, the case emphasizes. 

“Even with a year of credit monitoring services, the risk of identity theft and unauthorized use of Plaintiff’s and Class Members’ [personally identifiable information] is still substantially high,” the lawsuit reads. “The fraudulent activity resulting from the Data Breach may not come to light for years.” 

The case looks to cover all individuals in the United States whose personally identifiable information was accessed without authorization in the Renewal by Andersen data breach, including those who received notice about the incident. 

Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s free weekly newsletter here.