LINCOLN, Neb.— Liberty First Credit Union here has been hit with two proposed federal class actions accusing the organization of negligently failing to protect the personal information of more than 52,000 people that was exposed in a September data breach, Bloomberg Law reported.
As CUToday.info reported, the $479-million Liberty First recently disclosed it suffered a data breach that compromised the sensitive personal data of thousands of individuals. That data included names, addresses, Social Security numbers, and account numbers.
Denise Walker and Susan McMurtry alleged in separate lawsuits that Liberty First breached its duties under common law, contract law, industry standards, and the Federal Trade Commission Act to implement reasonable and adequate data-security measures, and failed to provide timely and adequate notice of the breach, Bloomberg Law said.
As CUToday.info reported, LFCU launched an investigation with the assistance of third-party cybersecurity experts to determine the nature and scope of the incident.
“The forensic investigation determined that the unauthorized third party may have accessed and acquired certain files from its systems. It was discovered that unauthorized access was limited to a portion of its internal network and did not involve unauthorized access to its banking, online banking or payment systems,” the law firm of Levi & Korsinsky said.
On Sept. 24, LFCU learned that the unauthorized third party acquired files that contained some individuals' personal information, Levi & Korsinsky said.
“LFCU then launched a comprehensive review of the incident to confirm the exact type of information breached and identify the individuals impacted. Although the exact type of information involved in the data breach is not confirmed, the information impacted may involve the following types of sensitive personal information: name, date of birth, and Social Security number,” Levi & Korsinsky said.
On Nov. 25, LFCU issued a public disclosure and started sending notice letters to the impacted individuals, Levi & Korsinsky added.
Ransomware Attack?
Separately, security platform Halcyon called the LFCU breach a ransomware attack.
“The attackers claim to have exfiltrated 254 GB of sensitive data, including client databases, passports, and financial records,” Halcyon said, noting RansomHub, a ransomware group, claimed responsibility for the attack. Halycon noted that Ransomhub had set a ransom deadline of Sept. 29, 2024.