Communications Litigation Today was a Warren News publication.
'Double Extortion' Tactic

Delphinus Has 'Done Little' to Remedy Data Breach, Says Former Employee

Delphinus Engineering, a professional services provider and U.S. military contractor, lost control over current and former employees’ personally identifiable information (PII) in an Oct. 23 data breach, alleged a class action Tuesday (docket 2:24-cv-01810) in U.S. District Court for Eastern Pennsylvania in Philadelphia. The company notified victims 177 days after the breach began, it said.

Delphinus, which bills itself as a service provider with core competency in cyber operations and security, among other marine-oriented services, notified data breach victims in an April 10 letter of “recently detected unauthorized activity in our IT systems.” Affected information may have included name, Social Security number, date of birth and passport number, said the notice. The company offered individuals affected by the breach 24 months of credit monitoring and “identity restoration” service from Experian.

Despite offering “some victims” credit monitoring and identity-related services, Delphinus has “done little” to remedy the breach, said the complaint. The services are “wholly insufficient” to compensate plaintiff Jason Wilsterman, a Bremerton, Washington, resident, and class members for injuries inflicted on them, it said. Wilsterman, a former Delphinus employee, received notice of the data breach Friday and on information and belief, his PII “has already been published -- or will be published imminently -- by cybercriminals on the dark web,” said the complaint.

Wilsterman has already suffered from identity theft and fraud, including fraudulent inquiries on his credit report, alleged the complaint. An identity thief applied for a bank account in his name at an out-of-state bank, and an identity thief changed the login credentials and associated phone number for his Veteran Affairs account, which he discovered when attempting to log into the account, it said. An identity thief created a fake LinkedIn account under Wilsterman’s name, using his photo as the profile picture, it said. The plaintiff has spent “significant time and effort” monitoring his account to protect against identity theft, it said.

An April 10 letter from Delphinus to the New Hampshire Attorney General’s Office said 14 New Hampshire residents could be affected by a Dec. 11 CL0P ransomware attack that affected its network and some of its systems, the complaint said. CL0P is “an especially notorious cybercriminal group known for its use of the "'double extortion' tactic of stealing and encrypting victim data, refusing to restore victim access and publishing exfiltrated data,” said the complaint, citing a joint report from the FBI and Cybersecurity and Infrastructure Security Agency, following the Progress Software MOVEit data breach a year ago.

Delphinus was added to the CL0P group’s data leak site after it exfiltrated “employees’ data, incident reports, contractors’ documents, agreements, and financial data," said a December tweet on the X platform by HackManac.

Because of Delphinus’ data breach, Wilsterman will continue to suffer from anxiety, sleep disruption, stress, fear and frustration, said the complaint. He has already suffered actual injury from the exposure of his PII and damage to and diminution in value of his PII, it said.

Wilsterman asserts claims of negligence and negligence per se, breach of implied contract, unjust enrichment and breaches of fiduciary duty and confidence. He requests awards of compensatory, exemplary, punitive and statutory damages; restitution and damages; injunctive relief; attorneys’ fees and costs; and pre- and post-judgment interest.