TD Ameritrade Hit With Class-Action Suit Over MOVEit Hack

News August 29, 2023 at 11:22 AM
Share & Print

TD Ameritrade was hit Monday with a class-action lawsuit for a data breach related to the ongoing cyberattack exploiting the MOVEit file-transfer software.

The suit, filed in the U.S. District Court for the District of Nebraska, states that the plaintiff Fortuno Jeanfort, along with the proposed class members, have already "all suffered injury" via fraudulent credit card charges and identity theft as a result of TD Ameritrade's "negligent conduct" in not protecting their personally identifiable information.

On Aug. 24, TD Ameritrade, along with Charles Schwab, was sued in another class action filed in Nebraska related to the MOVEit hack.

The class-action suit against Schwab and TD comes as there's less than a week to go before TD Ameritrade advisors and their clients' accounts are scheduled to move to the Charles Schwab platform.

A number of class-action lawsuits have already been filed in relation to the breach,  including  one filed earlier this month against TIAA.

TD Suit Details

According to the suit against TD Ameritrade, between May 28, 2023, and May 30, 2023, an unknown actor gained access to TD Ameritrade's files that were saved on its MOVEit file transfer server.

As a result, "Plaintiff and the Class Members have had their personal identifiable information exposed," the lawsuit states. It is believed that the well-known Russian cybergang, CL0P is the source of the attack, the suit states.

At least 734 organizations have reported MOVEit-related breaches, according to KonBriefing Research. Those reports have affected at least about 43 million people.

TD Ameritrade "betrayed the trust of Plaintiff and the other Class Members by failing to properly safeguard and protect their personal identifiable information and thereby enabling cybercriminals to steal such valuable and sensitive information," the suit states.

On or around May 30, 2023, TD Ameritrade "claims they became aware that its MOVEit system had been breached," according to the suit, adding that the breach exposed names, Social Security numbers, financial account information, dates of birth, government identification numbers and other personal identifiers.

Around August of 2023, TD Ameritrade began notifying class members of the data breach. TD Ameritrade began sending "undated notices of the Data Breach," which included an admission "that an unauthorized actor accessed sensitive personal information about Plaintiff and Class Members," according to the suit.

"The details of the root cause of the Data Breach, the vulnerabilities exploited, and the remedial measures undertaken to ensure a breach does not occur again have not been shared with regulators or Plaintiff and Class Members, who retain a vested interest in ensuring that their information remains protected," the suit claims.

In a statement shared with ThinkAdvisor, TD Ameritrade said that "Generic and conclusory allegations are often devoid of accuracy and context. Our focus is protecting our clients.

"We do that by not only standing by them in such matters but by thoroughly investigating any incident that may affect them. Our notification practices are consistent with our mission to see the world through our clients' eyes and are in keeping with our regulatory obligations," it added.

Significant Risks

The suit goes on to state that "due to Defendant's negligence, cybercriminals obtained everything they need to commit identity theft and wreak havoc on the financial and personal lives of thousands of individuals."

The class action "seeks to redress Defendant's unlawful, willful and wanton failure to protect the personal identifiable information of approximately 61,160 individuals that was exposed in a major data breach of Defendant's files saved on the MOVEit server in violation of its legal obligations."

The suit maintains that "for the rest of their lives, Plaintiff and the Class Members will have to deal with the danger of identity thieves possessing and misusing their Personal Information."

Jeanfort and the class members face the potential for their personal information "to be sold and distributed on the dark web; a lifetime risk of identity theft, sharing, and detrimental use of their sensitive information; out-of-pocket expenses associated with the prevention, detection, and recovery from identity theft, tax fraud, and/or unauthorized use of their PII; and lost opportunity costs associated with attempting to mitigate the actual consequences of the Data Breach," the suit states.

"At this time, there exist many Class Members who are totally unaware their PII has been compromised, and that they are at significant risk of identity theft and various other forms of personal, social, and financial harm," the suit maintains.

Image: Shutterstock 

NOT FOR REPRINT

© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.

Related Stories

Resource Center