Communications Litigation Today was a Warren News publication.
Notified Victims 11 Months Later

Pair of Negligence Actions Are Filed vs. Philadelphia Inquirer From May 2023 Breach

The Philadelphia Inquirer knew of a May 2023 data breach of its computer network affecting the personally identifiable information (PII) of current and former employees and subscribers, but it waited nearly a year to inform victims of the cyberattack, a May 6 negligence class action alleged (docket 2:24-cv-02499). It was removed Friday from the Court of Common Pleas of Philadelphia County, Pennsylvania, to U.S. District Court for Eastern Pennsylvania. The suit also names the Inquirer’s owner, the Lenfest Institute for Journalism.

Philadelphia resident Steven Hassell received a letter April 29 informing him his PII was accessed or exposed to unknown, unauthorized third parties in the data breach that occurred the previous May. The data thieves acquired the plaintiff’s full name and Social Security number, the complaint said, and Hassell was informed that hackers compromised at least one of his accounts, which he believes resulted from the incident.

In response to the April breach notice, Hassell made reasonable efforts to mitigate its impact, including reviewing credit reports and financial account statements for indications of attempted identity theft or fraud, the complaint said. He has experienced “suspicious spam” and believes it is an attempt to secure more of his PII, it said. The plaintiff has spent “many hours dealing with” the breach, and anticipates spending “considerable time and money on an ongoing basis” addressing harms it may cause, it said.

Hassell believes his and class members’ PII was sold on the dark web, as that is the “modus operandi” of cybercriminals who commit such attacks, the complaint said. The risk of identity theft is “impending and has materialized” as there is evidence that Hassell’s and class members’ PII was “targeted, accessed, misused, and disseminated” on the dark web, it said. The newspaper’s notice letter said potentially affected files include names, Social Security numbers, birth dates, driver’s license and passport numbers, financial account numbers, and health and medical information, the complaint said. Some 25,500 individuals were affected, it said.

The complaint alleges that had the Inquirer properly secured and encrypted files and servers containing class members’ PII, the breach could have been prevented. The negligence suit also claims breach of contract and implied contract. Hassell requests compensatory, statutory treble and/or punitive damages; an order of restitution; injunctive relief; attorneys’ fees and costs; and pre- and post-judgment interest.

A second negligence class action in the Court of Common Pleas of Philadelphia County, Devine v. The Philadelphia Inquirer, was also removed Friday to the same district court. In that May 3 case (docket 2:24-cv-02503), Christopher Devine, a Corryton, Tennessee, resident, said that as a condition of service, the newspaper requires subscribers to provide sensitive information such as names, addresses and payment information.

The defendant “made promises and representations” to its subscribers and employees that the PII it collected would be kept “safe, confidential, that the privacy of that information would be maintained” and that it would “delete any sensitive information after it was no longer required to maintain it,” the complaint alleged. Devine and class members had the "reasonable expectation” that the Inquirer would “comply with its obligations to keep such information confidential and secure from unauthorized access,” it said.

Ransomware group Cuba claimed responsibility for the cyberattack and posted on the dark web what it said were stolen Inquirer files with data. However, Cuba removed the claim a day later, alleged the complaint, citing comments by the newspaper's publisher and CEO Lisa Hughes. She said in the days following the incident that the newspaper didn’t see evidence that any Inquirer information was shared; she also didn't say whether the newspaper company had paid a ransom in exchange for the removal of Cuba’s claim, the complaint said.

In addition to negligence, Devine asserts claims of public disclosure of private facts, unjust enrichment and violations of Pennsylvania’s Breach of Personal Information and Notification Act and Unfair Trade Practices and Consumer Protection Law. He requests injunctive and declaratory relief; “appropriate relief” for himself and the class; pre- and post-judgment interest; and attorneys’ fees and costs.