What You Need to Know
- The suit claims TIAA inadequately maintained its network, platform, software and technology partners, leaving them vulnerable to cyberattack.
- TIAA also failed to provide timely notice to the affected plaintiff and class members, exacerbating their injuries, the suit states.
- The hack has affected at least 1,006 organizations and 48 million people.
TIAA has been hit with a second lawsuit over a data breach related to the cyberattacking exploiting MOVEit file-transfer software.
The first suit was filed on Aug. 8 in the U.S. District Court for the Southern District of New York, on behalf of former and current employees of companies that used TIAA to process benefits.
Plaintiff Steven Teppler, and the proposed other class members, filed the second suit Thursday in the same district court.
The suit “seeks to hold TIAA responsible for the injuries TIAA inflicted on Plaintiff and approximately 2.4 million similarly situated persons … due to TIAA’s impermissibly inadequate data security, which caused the personal information of Plaintiff and those similarly situated to be exfiltrated by unauthorized access by cybercriminals” on May 29.
At least 1,006 organizations have reported MOVEit-related breaches as of Aug. 28, according to KonBriefing Research. Those reports have affected more than 49 million people.
The cybercriminals who breached the file transfer software are said to be part of the Cl0P crime group.
See: MOVEit Hack Hit These Financial Firms
The suit contends that “prior to and through the date of the Data Breach, TIAA obtained Plaintiff’s and Class Members’ [personally identifiable information] and then maintained that sensitive data in a negligent and/or reckless manner,” and that “as evidenced by the Data Breach, TIAA inadequately maintained its network, platform, software, and technology partners— rendering these easy prey for cybercriminals.”