TD Ameritrade, Charles Schwab, TIAA Latest Victims of MOVEit Breach Lawsuits

Since the data breach at the encrypted file transfer software program MOVEit that occurred in May and hit financial firms, universities, the U.S. federal government and California public retirement systems, several major financial services firms are facing lawsuits.  

One of the most recent complaints was filed on August 28 against Charles Schwab Corp. and its subsidiary, TD Ameritrade Inc., accusing the institutions of failing to immediately notify the approximately 61,160 of their customers who were exposed in the breach.  

These customers had Social Security numbers, financial account information and other sensitive data exfiltrated by hackers, according to the lawsuit filed in U.S. District Court for the District of Nebraska.  

Keren Jeanfort, of Boynton Beach, Florida, received on or about August 22 a “Notice of Data Breach” letter from “TD Ameritrade Client Services,” dated August 3, the complaint states. Jeanfort claims that the exposure of her private data increases her risk of fraud and identity theft and is seeking recovery for the diminished value of her information and time spent addressing the breach. 

The complaint states that there are individuals completely unaware their personal information has been compromised, and they are at “significant risk of identity theft and various other forms of personal, social and financial harm.” 

Both companies are accused of negligence, unjust enrichment and breach of implied contract. 

A spokesperson from Charles Schwab said in emailed statement, “Generic and conclusory allegations are often devoid of accuracy and context. Our focus is protecting our clients. We do that by not only standing by them in such matters but by thoroughly investigating any incident that may affect them. Our notification practices are consistent with our mission to see the world through our clients’ eyes and are in keeping with our regulatory obligations.”

A complaint was also filed in the U.S. District Court for the Eastern District of Virginia on Wednesday against Genworth Financial, over allegations that it failed to protect its 2.5 million customers’ data from the breach. Plaintiff April Manar, a Missouri resident, who is asking to represent all the individuals affected by the breach. A spokesperson at Genworth said the company does not comment on pending litigation. 

TIAA, Prudential Lawsuits 

Earlier this month, TIAA was also hit with a lawsuit, which was filed in U.S. District Court for the Southern District of New York. This complaint was brought by Andrew Lopez on behalf of former and current employees of companies that used TIAA to process benefits. Law firm Israel David LLC is representing the plaintiffs.  

Lopez’s complaint claims TIAA failed to properly secure and safeguard personally identifiable information, including individuals’ names, Social Security numbers, genders, dates of birth and physical addresses.  

TIAA had partnered with vendor PBI Research Services, which provides search tools to financial services institutions like TIAA. PBI worked with PSC Software for the storage and transfer of TIAA’s client data entrusted to PBI, and the transfer used PSC’s MOVEit transfer file services for a variety of purposes, including the transfer of participants’ personal information. 

“In undertaking the responsibility, TIAA and PBI were both obligated to only hire vendors who maintain adequate data and security practices and PSC is obligated to ensure that their file transfer systems—like MOVEit—are secure,” the complaint states.  

However, due to vulnerabilities in PSC’s MOVEit software, the complaint states that the personal information entrusted by TIAA to PBI by more than 2.3 million retirees, pension holders and other financial customers was compromised.  

The suit also accuses PBI of not disclosing the data breach to those affected until nearly six weeks after the breach was discovered, and criticizes that the Notice of Breach did not disclose the specifics of the attack or any measures taken to ensure the protection of personal information.  

TIAA did not offer any remediation, according to the suit, but PBI offered 24 months of identity theft protection for victims of the data breach.  

TIAA did not immediately respond to requests for comment.  

Prudential was also recently sued by plaintiff Bruce Parker, who had given the company his personally identifiable information and who accused the company of failing to protect his and other victims’ information. In this case, the plaintiffs are seeking restitution, an award of actual damages, compensatory damages, statutory damages, statutory penalties and attorneys’ fees and costs.  

Prudential offered two years of free credit monitoring services to its more than 320,000 impacted customers; the plaintiff is asking the company to provide 10 years.  

How Plan Sponsors Can Protect Themselves 

Wendy Von Wald, a fiduciary liability product manager at the Travelers Companies Inc., an insurance company based in Hartford, says the overall breach is significant in that MOVEit is a data aggregator with “far-reaching implications,” as opposed to a discrete hit on just one entity. 

“For plan sponsors, it really is a bit of a wake-up call to watch more of their service providers and be more aware of [their] entities who are moving large pieces of data or storing [data],” Von Wald says. 

Von Wald adds that it is important for plan sponsors not only to make sure that service providers have the right protocols and procedures in place, but also that they are carrying the right levels of insurance and have the response capabilities to deal with a breach.  

Plan sponsors themselves also need to ensure that they are properly training their fiduciaries and employees about cybersecurity risks, according to Von Wald.