International Trade Today is a Warren News publication.
'Free Rein to Surveil'

Verizon Employees Learned of Data Breach 5 Months After It Occurred: Class Action

A Verizon employee gained unauthorized access to a file containing personally identifiable information (PII) of 63,206 company staffers on Sept. 21, though Verizon didn’t discover the breach until Dec. 21, alleged a fraud class action Wednesday (docket 2:24-cv-01431) in U.S. District Court for Central California in Los Angeles. Moreover, Verizon notified the Maine attorney general and data breach victims weeks later, on Feb. 7, it said.

Sign up for a free preview to unlock the rest of this article

If your job depends on informed compliance, you need International Trade Today. Delivered every business day and available any time online, only International Trade Today helps you stay current on the increasingly complex international trade regulatory environment.

Carlos Malacon, a South Gate, California, resident, was a Verizon employee from April 2021 until last month, said the complaint. Verizon’s Feb. 7 letter informed Malacon that the company reviewed the breached file and determined it may include his PII, it said. Despite knowing Malacon and other employees were “in danger,” Verizon “did nothing” to warn them until nearly two months later, it said. Cybercriminals had “free rein to surveil and defraud their unsuspecting victims,” it said.

Since the breach, Malacon has received “an influx of spam telephone calls and messages,” said the complaint. He has suffered “imminent and impending injury” from the “substantially increased risk of fraud, identity theft, and misuse” of his PII, especially his Social Security number, “being placed in the hands of unauthorized third parties and possibly criminals,” it said.

Verizon “has done very little to protect” data breach victims, “only offering two years” of credit monitoring and theft protection services, after allowing cybercriminals to access a “wealth of priceless information for nearly five months” before notifying victims, said the complaint.

Data breach victims were subjected to “violations of their privacy, fraud, and identity theft, or have been exposed to a heightened and imminent risk of fraud and identity theft,” said the complaint. They must now and in the future closely monitor their credit reports, financial accounts and online accounts to guard against identity theft, it said.

The September breach isn’t the first time Verizon employees were victims, said the complaint, noting a May 2022 incident where a hacker held internal contact information and other details for ransom. Verizon experienced at least seven data breaches since 2008 and should have taken measures to protect employees’ PII, the complaint said.

Malacon brings claims of negligence and negligence per se; breach of fiduciary duties, confidence and implied contract; and invasion of privacy. The plaintiff seeks for himself and the class actual, statutory and punitive damages, plus attorneys’ fees and legal costs, said the complaint. Verizon didn’t comment Thursday.