International Trade Today is a Warren News publication.
Nearly 4-Month Breach

Hackers Stole Student Loan Data Via Unsecured Website Search Tool: Class Action

Student loan servicer Heartland ECSI “failed to institute proper security protocols” to protect individuals’ Social Security numbers and other personally identifiable information (PII), alleged a negligence class action Thursday (docket 2:24-cv-00699) in U.S. District Court for Western Pennsylvania.

Sign up for a free preview to unlock the rest of this article

If your job depends on informed compliance, you need International Trade Today. Delivered every business day and available any time online, only International Trade Today helps you stay current on the increasingly complex international trade regulatory environment.

ECSI’s online form that allowed users to search and access tax and financial records, without having to log in or verify their identity, was a “security flaw” cybercriminals exploited to access ECSI customers’ PII and tax forms for information about their tuition, scholarships and student loan payments Oct. 29-Feb. 12, the complaint said. As a result of ECSI’s failure to protect class members' PII and financial information, “tens or hundreds of thousands of individuals had their data exposed and now face substantial risks of financial fraud and identity theft,” alleged the complaint.

Elizabeth Golec, a Coventry, Rhode Island, resident, received a notice dated April 9 from ECSI saying her PII and financial information were involved in the data breach, said the complaint. Since receiving the notice, the plaintiff has been injured in the form of lost time dealing with the consequences of the breach, including time spent verifying the breach’s legitimacy and impact; exploring credit monitoring and identity theft insurance options; self-monitoring her accounts with “heightened scrutiny”; and seeking legal counsel on how to mitigate its effects, the complaint said.

Golec was also injured by the “material risk to future harm” she suffers due to the breach; her anxiety over her loss of privacy and the impact of cybercriminals accessing, using and selling her PII and financial information; and impending injury arising from the “substantially increased risk of fraud, identity theft and misuse” of her personal information by unauthorized third parties, the complaint said.

ECSI didn’t become aware of the data breach until Feb. 12, several months after the breach initially occurred, said the complaint. The defendant eliminated the guest search tax search functionality upon discovering the breach, it said. The company filed notice with the Maine Attorney General April 19, “months after it claims to have discovered” the breach, saying that information belonging to students and other individuals affiliated with numerous colleges and universities was compromised as a result of “significant data security flaws in its network and online search functions,” the complaint said.

Data breach victims remain “in the dark” about the particular data stolen, the malware used, and what steps are being taken, “if any, to secure their PII and financial information going forward,” said the complaint. ECSI could have prevented the data breach by “adequately securing and encrypting and/or more securely encrypting its servers generally,” as well as Golic and class members’ information, it said.

ECSI’s negligence in safeguarding Golec and class members’ PII and financial information is exacerbated by “repeated warnings and alerts directed to protecting and securing sensitive data, as evidenced by the trending data breach attacks in recent years,” said the complaint. Despite public announcements of breaches, the defendant didn’t take appropriate steps to keep their information from being compromised, it said.

In addition to negligence, Golec asserts claims of breach of contract and implied covenant of good faith and fair dealing, plus unjust enrichment. She seeks actual, nominal and consequential damages; an order enjoining ECSI from engaging in the wrongful conduct described; and orders requiring it to encrypt all data collected through the course of business, delete and purge the PII of plaintiff and class members, and implement a comprehensive information security program. She also requests prejudgment interest and attorneys’ fees and costs.