The plaintiffs allege the company failed to properly protect customer records.
Genworth Financial faces a new lawsuit over allegations that it failed to protect customers’ data from the MOVEit file transfer software breach, which may have exposed the personal information, including Social Security numbers, of about 2.5 million Genworth customers.
April Manar, a Missouri resident who is acting as the lead plaintiff, is seeking class-action status for the suit, which was filed Wednesday in the U.S. District Court for the Eastern District of Virginia. The complaint is available on Law.com Radar.
Manar is asking to represent a total of about 2.5 million people affected by the breach, including a class of Genworth customers in Missouri and a national class. A Genworth representative said the company does not comment on pending litigation. She has requested that the court award an unspecified amount of damages.
Progress Software, the company that sells the MOVEit software, emphasizes that it disclosed the vulnerability that led to the MOVEit hack and deployed a patch the same day.
See: The MOVEit Hack Has Hit These Financial Firms So Far
The MOVEit Breach
MOVEit is a widely used system for moving big, important batches of data. Many life insurance and annuity issuers, defined benefit pension plans and defined contribution retirement plans have worked with a vendor that has used MOVEit in efforts to determine whether individuals with relationships with the companies are still alive.
Cl0p, a Russian hacking gang, used the MOVEit vulnerability to get access to financial services companies and tried to persuade companies to pay it to keep the data secure.
Cl0p seems to have published much or all of the data it stole on the dark web, in fragmented and difficult-to-use files, according to press reports.
Notices issued to date suggest that the breach may have affected the records of about 26 million U.S. insurance and retirement services clients. The breaches have affected about 49 million people throughout the world, according to KonBriefing Research.
The Cl0p MOVEit breach appears to be smaller than some other high-profile financial services sector breaches.
In 2017, for example, a data breach at Equifax, a big credit bureau, exposed the personal financial data of about 147 million U.S. consumers. Equifax settled with the affected customers for $1.4 billion, or about $1,000 per affected customer.
The Manar Suit
The Manar suit was brought by a legal team that includes lawyers from Harty Jewell of Yorktown; Virginia McShane & Brady of Kansas City, Missouri; and Zinns Law of Atlanta.
Plaintiffs have filed dozens of other federal court suits against financial services companies involved in the MOVEit breach, including Genworth itself and TD Ameritrade.
The U.S. Judicial Panel on Multidistrict Litigation will hear arguments Sept. 28 in Lexington, Kentucky, on whether and how to consolidate some or all of the federal MOVEit litigation, including the Manar suit.
The Manar complaint focuses more than many other MOVEit breach complaints on the problems faced by people who have lost control over their Social Security numbers.
“It is no easy task to change or cancel a stolen Social Security number,” the complaint reads. “An individual cannot obtain a new Social Security number without significant paperwork and evidence of actual misuse. In other words, preventive action to defend against the possibility of misuse of a Social Security number is not permitted; an individual must show evidence of actual, ongoing fraud activity to obtain a new number.”
Even if an individual gets a new Social Security number, credit bureaus may still link a client’s new records to records of old transactions made by the criminals who used the old Social Security number, according to the complaint.