A federal lawsuit has been filed against Paxton Media Group, alleging that the company suffered a cyber attack and data breach but waited three or more months before informing nearly 21,000 current and former employees their private information may have been stolen.
PMG is a Kentucky company with a principal place of business in Paducah, owning more than 100 publications across 14 states. Their flagship newspaper is The Paducah Sun, and they also own the Messenger-Inquirer in Owensboro.
The lawsuit was filed Sept. 22 and the first news of the filing came from reporter Jason Riley with WDRB in Louisville.
According to a copy of the 32-page lawsuit obtained by Owensboro Times, two plaintiffs are filing individually and on behalf of all others affected.
According to the nature of the action of the lawsuit, “unauthorized third-parties infiltrated and accessed the Company’s inadequately protected computer systems” between Feb. 26 and March 20 of 2021.
The lawsuit alleges that during that time the hackers obtained personally identifiable information (PII) of Paxton’s current and former employees, including names, dates of birth, Social Security numbers, driver’s license or state ID numbers, financial account and/or routing number information, health insurance information, taxpayer ID numbers, and credit card numbers and/or expiration dates.
At least 20,835 individuals were affected, according to the lawsuit.
The lawsuit claims PMG identified suspicious activity on Mach 20, but breach notifications were not sent out until June 24, or thereabouts.
Some employees have still not been directly notified via a letter, and it is not known if every person affected has at least some knowledge of the incident. Everyone affected is considered a plaintiff in the case.
Three current Owensboro Times employees and one former OT employee all previously worked with various PMG publications in recent years. Two who worked at the Messenger-Inquirer and left in 2016 and 2018 never received direct notification about the breach. Neither did the one who left an area PMG publication in 2020. (It should be noted all three have changed addresses since their employment with PMG.) One who left an area PMG publication in 2021 received an letter around the first of August.
According to the notice letter Paxton sent to affected individuals, the company opened an investigation on March 20 and determined an “unauthorized actor” copied the personal information.
Sometime after the letters began to go out, a link was embedded at the top of at least the Messenger-Inquirer website — and potentially other PMG publication sites — that took users to a page detailing a “notice of data privacy event.”
That page said “PMG is providing information about the event, PMG’s response to it, and resources available to individuals to help protect their information, should they feel it necessary to do so.”
That link was no longer present on the MI website as of Friday afternoon, though the page it led to can still be found here.
If an individual did not receive a letter but would like to know if they are affected, they may call PMG’s dedicated assistance line at 833-909-3905 from 6 a.m. to 6:00 p.m. Pacific Time, Monday through Friday.
The lawsuit further claims the information “will now be used for criminal purposes” including identity theft and fraudulent purchases. One of the plaintiffs alleges they were the victim of an attempted phishing scam. The other plaintiff alleges a fraudulent loan was taken out and that a fraudulent checking account was opened, both by using her information without her knowledge.
Part of the lawsuit reads, “Paxton’s conduct — failing to take adequate and reasonable measures to ensure that its employee data was protected, failing to take available steps to prevent and stop the Data Breach, failing to take adequate measures to detect the Data Breach, failing to provide timely notice of the Data Breach so that a month had passed before providing its employees and former employees with notice of the Data Breach, and enabling the actors to execute the Data Breach and steal Plaintiffs’ and Class members’ PII — has caused substantial harm and injuries to its own employees and former employees.”
It further notes that all those affected are “at serious, immediate, and ongoing risk and, additionally, caused costs and expenses to Plaintiffs and Class members associated with time and money spent as a result of taking time and incurring costs to address and attempt to ameliorate, mitigate and deal with the actual and future consequences of the Data Breach.”
The plaintiffs are bringing the action individually and on behalf of the Class, defined as “All current and former employees of Defendant Paxton who are residents of the United States of America and whose PII was accessed in the Data Breach.
Plaintiffs are seeking actual damages, statutory damages, punitive damages, and restitution. They are further suing PMG for, among other causes of action, negligence, breach of implied contract, invasion of privacy, breach of confidence and unjust enrichment. The plaintiffs are also seeking declaratory and injunctive relief, including significant improvements to Paxton’s data security systems and protocols, future annual audits, defendant-funded long-term credit monitoring services, and other remedies as the Court deems necessary and proper.
According to the lawsuit, which references the data breach notice sent by PMG, Paxton only provided 12 months of identity theft and credit monitoring protection and only for those individuals whose Social Security numbers were exposed.
Venue for the case has been placed in the Paducah Division of the United States District Court for the Western District of Kentucky.
Lawyers for the plaintiffs, according to the lawsuit file, are as follows:
- Jeffery A. Roberts — Murray, Kentucky, 270-753-0053, [email protected]
- Lori G. Feldman — Croton-on-Hudson, New York, 917-983-9321, [email protected]
- David J. George and Brittany L. Brown — Lake Worth, Florida, 561-232-6002, [email protected] and [email protected]
- William B. Federman — Oklahoma City, Oklahoma, 405-235-1560, [email protected]