Guardian Analytics Inc. and Webster Bank N.A. have agreed to pay over $1.4 million to resolve claims stemming from a data breach in 2022. The Guardian Analytics and Webster Bank data breach compromised the personal information of approximately 192,000 individuals, leading to allegations of inadequate protection of sensitive customer data. The settlement, which received final approval in federal court, addresses grievances brought forward in a consolidated class action lawsuit. Plaintiffs contended that both Guardian Analytics, a provider of data analytics services to financial institutions, and Webster Bank, failed to implement sufficient measures to safeguard sensitive customer information, including names, Social Security numbers, and financial account details.

Going Back to Guardian Analytics and Webster Bank Data Breach

During the Guardian Analytics data breach, unauthorized individuals gained access to Guardian's network systems between November 27, 2022, and January 26, 2023, obtaining the personally identifiable information (PII) of plaintiffs and class members. This data breach left affected individuals vulnerable to identity theft and other forms of fraud. The plaintiffs alleged that the defendants, Guardian Analytics and Webster Bank, breached their duty to implement and maintain adequate security measures, thereby allowing the breach to occur. As a result, plaintiffs and class members suffered various damages, including a significant risk of identity theft, loss of confidentiality of their PII, and financial losses due to inadequate data security measures.

The $1.4 Million Data Breach Lawsuit

The Guardian Analytics and Webster Bank data breach settlement agreement includes provisions to reimburse affected individuals for monetary losses, covering up to $5,000 for direct financial losses and up to $250 for ordinary losses. Additionally, the agreement compensates for four hours of lost time incurred by plaintiffs dealing with the aftermath of the breach. Individual plaintiffs, including Mark S. Holden, Richard Andisio, Edward Marshall, Ann Marie Marshall, Arthur Christiani, Johnielle Dwyer, Pawel Krzykowski, and Mariola Krzynowek, represented the class action lawsuit. Each plaintiff cited damages suffered as a result of the breach, ranging from financial losses to significant time spent rectifying the situation and monitoring accounts for fraudulent activity. The settlement serves as a reminder of the importance of robust data security measures in an era where cyber threats are increasingly prevalent. Both Guardian Analytics and Webster Bank have emphasized their commitment to enhancing security protocols to prevent similar incidents in the future. The legal proceedings shed light on the grave consequences of data breaches, including prolonged periods of identity theft resolution and financial instability for affected individuals. As technology continues to evolve, businesses must prioritize cybersecurity to protect customer data and maintain trust in an increasingly digital world.

New York-based cyber risk ratings vendor SecurityScorecard has filed a lawsuit against its cyber risk management rival Safe Security for alleged involvement in unfair competition and misappropriating trade secrets. SecurityScorecard has accused its former employee, Mary Polyakova of being a key perpetrator of the embezzlement. According to the lawsuit, Polyakova retrieved SecurityScorecard’s confidential information like list of customers and prospects, before quitting the company last month and later joining Safe Security in Silicon Valley as its sales vice president. The breach of confidential information was apparently valued at $40 million at SecurityScorecard which includes details of 9,300 customers and prospects. In a 30-page complaint filed on Tuesday in the Southern District of New York, SecurityScorecard said, “While brazenly touting a 'revolutionary' approach to cybersecurity risk management, defendant Safe's only true 'revolution' is its unconstrained reliance upon unlawful skullduggery and unfair competition to build its business." Meanwhile, SafeSecurity CEO Saket Modi, refuting the allegations, said that his company’s competitors like SecurityScorecard were laying off many of its employees because of its poor business and this is resorting to legal retribution.

SecurityScorecard shares embezzlement details

According to SecurityScorecard, Polyakova allegedly misappropriated an exhaustive list of the company's customers and prospects, which included the Master East List and CISO Prospect Lists and later shared the information on her personal email. It claimed that if this customer information was misused by Safe Security, it could damage the business prospects of SecurityScorecard. [caption id="attachment_75297" align="alignnone" width="800"] Source: Linkedin[/caption] The company feared that Safe Security could unlawfully poach its customers, which could harm the business interests of SecurityScorecard. Before joining SafeSecurity, Polyakova had spent four years in SecurityScorecard’s sales organization. "SSC's customer and prospect list is the direct result of years of marketing and sales efforts and cannot be replicated through publicly available sources," the company said. "SSC therefore undertakes considerable efforts to maintain the secrecy of its confidential information, including the Master East List and the CISO Prospect Lists." The company alleged that apart from stealing the data and poaching customers, Safe Security used fake accounts to illegally access SecurityScorecard's customer platform and tried to enhance its own cybersecurity offerings. SecurityScorecard alleged that Safe Security misused this access to quality-check its products and make misleading comparisons on the company's website, "Safe has used a shell company or an entirely fake domain to impermissibly access the SSC [SecurityScorecard] platform to perform competitive intelligence gathering," the company said. "This appears to have included trying: (i) to see the SSC products and services purchased by SSC customers; and (ii) validating SAFE's own offerings to customers."

SecurityScorecard Wants End to Unlawful Practices

According to SecurityScorecard, Safe Security, through its actions, would be violating the former’s end-user SaaS agreement, including registration of IP addresses under fake domains. Safe Security had allegedly launched a webpage to compare its services with SecurityScorecard, the lawsuit alleged. "On April 9, 2024, Safe's Co-Founder and Chief Executive Officer, Saket Modi, bragged to SSC's President, Sachin Bansal, that Safe was interviewing former SSC employees with no real intention of hiring them for open positions," the company said. “As proof of these illicit fact-finding endeavors, Mr. Modi touted to Mr. Bansal confidential statistics on SSC's hiring and restructuring practices," it added. SecurityScorecard claimed that Safe Security had conducted fake job interviews with its employees to elicit confidential business information. The company sought monetary damages as well as stay order to stop Safe Security and Polyakova from using or disclosing the alleged stolen information. "Even when caught in this web of deceptive wrongdoing, Safe has simply adopted a 'deny, deny, deny' posture, effectively doubling down on their unlawful conduct," SecurityScorecard said, and added, "That’s precisely what necessitates the injunctive relief now sought here, to put an immediate end to these unlawful practices and protect SSC's trade secrets and confidential and proprietary information." SecurityScorecard said it had pumped in over $200 million to develop its customer and prospect base and had measures in place to protect its proprietary information.

The Australian privacy watchdog on Wednesday filed a lawsuit against Medibank, the country's largest private health insurer, for failing to protect its 9.7 million customers' personal information in a 2022 data breach incident.

The Australian Information Commissioner said in a civil penalty proceedings filed in the Federal Court that Medibank "seriously interfered" with the privacy of Australians by failing to take reasonable steps to protect their data from misuse and unauthorized access. These issues are allegedly in breach of the country's Privacy Act 1988, according to the OAIC.