A Maine-based accounting firm is being sued after a data breach exposed personal information, including Social Security numbers, of more than a million people.
Berry, Dunn, McNeil & Parker LLC, which is based in Portland, learned about the data breach around Sept. 14, when its vendor, Reliable Networks of Maine, LLC, said it “discovered suspicious network activity,” according to a notification letter from BerryDunn.
Around 1.1 million people who use BerryDunn’s services were affected by the breach, according to eight lawsuits filed in U.S. District Court in Portland on Tuesday. An “unauthorized actor” took data stored on a vendor’s server, but BerryDunn said there is no evidence personal information was misused, in the letter.
The lawsuits allege, in part, that BerryDunn was negligent, breached its fiduciary duty and was unjustly enriched. BerryDunn “failed to properly implement basic data security practices,” which is prohibited by federal law, according to the lawsuit.
Customers were told about the breach in late April, seven months after it happened. The notification followed an investigation by BerryDunn, according to the letter.
BerryDunn did not respond to a request for comment at the time of publication. The company has not filed responses in court.
The data breach included a combination of names, addresses, Social Security numbers, dates of birth and individual health insurance policy numbers, the lawsuit said.
People affected may have loans and bills taken out in their name, face tax and credit card fraud, and other identity theft. Social Security numbers are one of the worst types of personal information to be stolen because there is a wide variety of fraud that can be committed with it and it is difficult to change, the lawsuit said.
BerryDunn has not provided adequate compensation for the unauthorized release of the personal information, the lawsuit said.
The eight lawsuits may be consolidated into one, at the request of the people who filed them. A judge must also certify the lawsuits as class action.
The lawsuits ask a judge to order BerryDunn to pay for credit monitoring and award unspecified damages. They also ask for BerryDunn to be ordered to hire a third-party security auditor to test systems, conduct regular security checks on its database, add firewalls to prevent hackers from accessing all sensitive information at one time, and conduct training for internal security personnel about how to identify and contain a breach.
The Bangor Daily News is a client of Berry Dunn’s, but was not affected by the data breach, said Jennifer Holmes, the newspaper’s senior vice president.
