Communications Litigation Today was a Warren News publication.
'Multiple Unauthorized Charges'

Centennial Bank Notifies Data Breach Victims a Year After It Occurs: Class Action

Centennial Bank began notifying victims of a data breach April 19, “a whole year” after the breach occurred, alleged a negligence class action Friday (docket 4:24-cv-00415) in U.S. District Court for Eastern Arkansas.

The data breach letter Centennial sent to Dennis Barfield, a Wewahitchka, Florida, resident, plus state attorneys general, said the defendant became aware April 19, 2023, of “unauthorized access” on its servers that caused a “disruption” to its IT network. After an “unspecified” time -- between the dates the company became aware of the data breach and then sent the notice letters -- the company’s investigation determined that an unauthorized actor accessed the network and “certain files were copied,” the complaint said.

Barfield and class members’ personally identifiable information (PII) was in the hands of cybercriminals for over a year before they were notified, meaning the cyberthieves were able to gain access to and obtain their PII, the complaint alleged. Upon information and belief, the stolen data wasn’t encrypted, it said, and Barfield "reasonably believes" his PII is for sale on the dark web according to the modus operandi of data thieves.

Since the breach, Barfield has received a combination of about 200 spam calls, texts and emails daily about his Social Security “and other strange matters,” alleged the complaint. He had to create a new email address due to all the spam emails, the complaint said. The plaintiff has had multiple unauthorized charges and “attempts to his financial accounts,” it said. He had to replace “at least 3 bank cards and move his money around to stop the attempted charges that were not made by him,” it alleged.

Someone accessed Barfield’s bank account online after the breach and changed the debit card PIN, alleged the complaint. The hacker used his debit card information to make a $450 withdrawal from an ATM in Miami, it said. To get reimbursed, Barfield had to provide documentation from his employer that he wasn’t physically in that location to make the withdrawal, it alleged. An unauthorized charge of about $100 was made via his Amazon account, said the complaint.

The bank reported to AGs that the breached information included Social Security numbers, financial account and credit/debit card information, relationship status, usernames and email addresses, plus passwords. Centennial had obligations to keep that PII confidential and protect it from unauthorized access and disclosure, said the complaint. It could have prevented the breach by properly encrypting or otherwise protecting their equipment and computer files, it said. It also had a duty to train its employees, use technology to defend its systems from an attack, “act reasonably to prevent foreseeable harm” and to “promptly notify” Barfield and class members when it knew their PII was compromised, it said.

Centennial is encouraging data breach victims to enroll in credit monitoring, fraud consultation and identity theft restoration services, “a tacit admission of the imminent risk of identity theft” they face, said the complaint. Its inaction has put them at “an imminent, immediate and continuing increased risk of identity theft and identity fraud,” it said. As a result of the breach, Barfield and class members face “substantial and imminent risk of future identity theft,” it said. They will have to continue to spend time exploring credit monitoring and identity theft insurance options and self-monitor their accounts, the complaint said.

Barfield asserts claims of negligence, breach of implied contract and unjust enrichment. He seeks for himself and class members equitable relief enjoining Centennial from engaging in the wrongful conduct described related to the disclosure of their PII and “refusing to issue prompt, complete and accurate disclosures of the breach," the complaint said. He also seeks equitable relief requiring the bank to use appropriate methods regarding consumer data collection and storage and requiring restitution and disgorgement of revenues wrongfully retained as a result of its wrongful conduct. He seeks an award of actual, compensatory and statutory damages; attorneys’ fees and costs; and pre- and post-judgment interest.