TIAA Hit With Second Class-Action Suit Over MOVEit Hack

TIAA has been hit with a second lawsuit over a data breach related to the cyberattacking exploiting MOVEit file-transfer software.

The first suit was filed on Aug. 8 in the U.S. District Court for the Southern District of New York, on behalf of former and current employees of companies that used TIAA to process benefits.

Plaintiff Steven Teppler, and the proposed other class members, filed the second suit Thursday in the same district court.

The suit “seeks to hold TIAA responsible for the injuries TIAA inflicted on Plaintiff and approximately 2.4 million similarly situated persons … due to TIAA’s impermissibly inadequate data security, which caused the personal information of Plaintiff and those similarly situated to be exfiltrated by unauthorized access by cybercriminals” on May 29.

At least 1,006 organizations have reported MOVEit-related breaches as of Aug. 28, according to KonBriefing Research. Those reports have affected more than 49 million people.

The cybercriminals who breached the file transfer software are said to be part of the Cl0P crime group.

See: MOVEit Hack Hit These Financial Firms

The suit contends that “prior to and through the date of the Data Breach, TIAA obtained Plaintiff’s and Class Members’ [personally identifiable information] and then maintained that sensitive data in a negligent and/or reckless manner,” and that “as evidenced by the Data Breach, TIAA inadequately maintained its network, platform, software, and technology partners— rendering these easy prey for cybercriminals.”

Plus, the suit states, “the risk of the Data Breach was known to TIAA,” and “Thus, TIAA was on notice that its inadequate data security created a heightened risk of exfiltration, compromise, and theft.”

After the data breach, the suit states, “TIAA failed to provide timely notice to the affected Plaintiff and Class Members — thereby exacerbating their injuries.”

Ultimately, according to the suit, “TIAA deprived Plaintiff and Class Members of the chance to take speedy measures to protect themselves and mitigate harm. Simply put, TIAA impermissibly left Plaintiff and Class Members in the dark — thereby causing their injuries to fester and the damage to spread.”

When TIAA “finally notified Plaintiff and Class Members of their PII’s exfiltration, TIAA failed to adequately describe the Data Breach and its effects,” the suit maintains.

As alleged in suits against other firms, the plaintiffs contend that their personal identifying information, like names and Social Security numbers, have been exposed, and that “armed with the PII stolen in the Data Breach, criminals can commit a litany of crimes.”

Today, the suit states, “the identities of Plaintiff and Class Members are in jeopardy — all because of TIAA’s negligence. Plaintiff and Class Members now suffer from a heightened and imminent risk of fraud and identity theft and must now constantly monitor their financial accounts.”

TIAA did not respond to a request for comment.

(Image: Shutterstock)