Ace Hardware is currently embroiled in a class action lawsuit filed by plaintiff Justin Randall and others, accusing the company of inadequately responding to a cyberattack that compromised sensitive personal information, including Social Security numbers.
The lawsuit, filed in the Northern District of Illinois, alleges that Ace Hardware downplayed the impact of the breach and was slow to inform affected parties, potentially violating state and federal laws.
Justin Randall, a former employee of Ace Hardware, represents the class, which includes current and former employees and prospective job applicants whose personal identifiable information (PII) was compromised.
The lawsuit claims that Ace Hardware's insufficient cybersecurity measures allowed unauthorized access to the PII of its employees and applicants. This breach reportedly began on October 27, 2023, but Ace did not detect any suspicious activity until two days later. It then took over five months for Ace Hardware to notify affected individuals and state Attorneys General, with notifications beginning on April 1, 2024.
Ace Hardware's lackluster response
According to the claim, Ace Hardware did not maintain appropriate cybersecurity safeguards, leading to significant vulnerabilities. The legal action though primarily criticizes what happened after discovering the breach, which severely elevated the risk for impacted individuals. Specifically, the delay in notifying affected individuals potentially increased the risk of identity theft and fraud, as it denied individuals the opportunity to take timely protective actions.
The lawsuit also criticizes Ace Hardware for not providing clear information in its breach notifications, failing to specify the number of individuals affected, the specifics of the breach's cause, and the reasons for the notification delay.
The lawsuit accuses Ace Hardware of negligence, breach of implied contract, and violations of the Illinois Consumer Fraud and Deceptive Business Practices Act, among other claims. The litigation seeks injunctive relief, damages, and restitution, arguing that the defendant's actions warrant compensation for the breach's impact on the plaintiff's privacy and financial security.
Ace Hardware acknowledged the breach on April 1, 2024, stating that it had taken steps to enhance its security measures post-incident. The company offered 12 months of complimentary credit monitoring services to the victims, although the lawsuit argues this is insufficient given the nature of the data involved.
For individuals affected by the data breach, the following steps are recommended:
- Regularly review account statements and credit reports for unauthorized activity.
- Consider placing a fraud alert or a security freeze on credit reports to help prevent new fraudulent accounts from being opened.
- Follow the lawsuit proceedings for potential eligibility for any class-action settlements.
The outcome of this lawsuit could have significant implications for corporate responsibility in data security and consumer privacy, especially in how companies are expected to handle and communicate data breaches in a timely and transparent manner.
New Infostealer Malware ‘Sharp Stealer’ Targets Gamers
Leave a Reply