Communications Litigation Today was a Warren News publication.
Bank Account Hacked

Plaintiff Suffered ‘Concrete Injuries’ From Macmillan Data Breach: Suit

Publisher Macmillan “lost control” over the “litany” of highly sensitive personal identifiable information (PII) it stores for “thousands” of its current and former employees when cybercriminals “infiltrated its insufficiently protected computer systems in a data breach,” alleged plaintiff Victoria Batchelor of Tulsa in a fraud and negligence class action Monday (docket 1:23-cv-01217) in U.S. District Court for Southern New York.

Macmillan had no effective means “to prevent, detect, stop, or mitigate breaches of its systems,” thereby allowing cybercriminals “unrestricted access” to employee PII, said Batchelor’s complaint. The publisher “failed to adequately train its employees on cybersecurity and failed to maintain reasonable security safeguards or protocols,” it said.

Because the Macmillan breach affected only current and former employees, it was somewhat lower-profile than the Samsung and T-Mobile breaches that affected of millions of customer accounts and touched off dozens of class actions against those companies. But the PII stolen in the Macmillan breach appears by Batchelor’s account to have exposed much more intimate data to bad actors, including social security numbers.

Batchelor received notice Dec. 1 that her PII was hacked, said the complaint. She brings the class action on behalf of herself, and all others harmed by Macmillan’s “misconduct,” it said. The complaint estimates Macmillan injured 19,178 current and former employees by not protecting their PII.

Macmillan was first hacked June 16, with the attack lasting for nine more days, giving criminals “plenty of time” to seize the “exposed” PII, said the complaint. Bad actors gained access to employees’ social security numbers, driver’s license numbers, financial account information and online account login credentials, it said. Macmillan waited until Dec. 1 to begin notifying the class, it said.

The company has done little to “remedy” its data breach, or help the victims protect themselves from identity theft, said the complaint. Though Macmillan offered “concessions of credit monitoring and identity services,” such services don’t “properly compensate” the victims for the injuries the company “inflicted upon them,” it said.

Batchelor worked for Macmillan for five years, but her employment ended about six years ago, said her complaint. She provided her PII as a condition of her employment, “and trusted the company would use reasonable measures to protect it” in compliance with its own internal policies, plus state and federal law, it said.

She nevertheless suffered “multiple concrete injuries” due to Macmillan’s misconduct, said her complaint. There were multiple unauthorized withdrawals from her Bank of Oklahoma account, and an unknown culprit tried to use her financial information gained from the breach to buy an $800 iPad, it said. Since the breach, Batchelor “has suffered from an increasing flood of spam texts and phone calls,” it said.

Her complaint seeks an award of declaratory and “other equitable relief,” plus restitution and damages “in an amount to be determined at trial,” it said. She also seeks leave to amend the complaint “to conform to the evidence produced at trial,” it said. Macmillan didn’t comment Tuesday.