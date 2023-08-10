A former Paycom employee has accused the company of failing to protect against a massive data breach in which foreign hackers gained access to the personal information of current and former workers at the payroll giant as well as at companies and organizations around the world.

In Oklahoma County District Court this week, Sara Loveless filed a class-action lawsuit against Paycom, alleging the company negligently handled the personally identifiable information of its employees, which allowed a Russia-linked cybergang this year to steal the data of roughly 7,500 people.

“It is understandably shocking, considering the nature of (Paycom’s) business and its sophistication,” William Federman, the Oklahoma City-based attorney for Loveless, told The Oklahoman. “They became the low-hanging fruit and knew there were bad actors out there trying to access information.”

In late May, a ransomware gang identified as Cl0p exploited the third-party MOVEit transfer file tool to attack organizations, companies, universities and governments, according to the FBI and the Cybersecurity and Infrastructure Security Agency.

Cl0p is considered to be one of the largest phishing and malspam distributors worldwide, according to the FBI and CISA.

A repeat offender, Cl0p historically is estimated to have compromised more than 3,000 U.S.-based organizations and 8,000 global organizations, according to the federal agencies.

Targets have included Shell, Procter & Gamble and major universities like Stanford.

The stolen data is sold on heavily encrypted parts of the internet that are not accessible to standard search engines. The data is bought and then used to steal people’s identities and commit fraud in various marketplaces all over the globe.

Victims might be blackmailed, see money stolen from their bank accounts and have their credit destroyed.

Lawsuit alleges Paycom was negligent with data before breach

In Oklahoma, the lawsuit against Paycom identifies Loveless as a former employee who worked for the company from 2016 to July 2021 as a lead for IT governance, risk and privacy and teams.

Loveless claims two letters from Paycom in July notified her that her two minor children’s personal information was exposed.

In its broad cyber attack around the world, Cl0p stole employee data including Social Security numbers, dates of birth, passport information and employment authorization card information, according to the lawsuit.

About the Paycom attack, Federman wrote in the lawsuit:

“Although the data breach was perpetrated by Cl0p, the criminal actors should have never been able to (have) access to plaintiff’s and the class's (personally identifiable information) in the first place.”

It is alleged in the lawsuit that Paycom kept some former employees’ personal information for years after they worked for the company.

The lawsuit accuses Paycom of being negligent and reckless in failing to use appropriate data protection systems.

“The company did not spend enough money or have competent people,” Federman told The Oklahoman.

Paycom offered those affected by the breach 24 months of credit monitoring services, according to the lawsuit.

Federman characterized the offer as “a token gesture” that does little to protect victims after their data has been stolen.

Aware of these offers, cybercriminals often hold onto the stolen data and don't use it until after the complimentary service is no longer active, Federman said.

Among several demands, the lawsuit seeks a requirement that Paycom provide lifetime credit monitoring and identity theft repair services to those who join the class-action litigation.

Federman and his client are also asking for compensatory and punitive damages.

Paycom files report with SEC; reports a 'limited number' affected

Paycom said it does not comment on ongoing litigation.

On July 20, the company filed a report with the U.S. Securities and Exchange Commission that notified investors of the breach.

The breach exposed “a limited number of company files stored on the MOVEit server, including certain employee records containing personally identifiable information,” Paycom reported in the filing.

Paycom reported working with a third-party computer forensics team to verify the scope of the incident and is in the process of contacting affected clients directly.

The breach allowed access to data of Paycom clients and their employees that included the personally identifiable information of less than 0.4% of all persons on behalf of whom Paycom stored client data during the year ended Dec. 31, 2022, the company reported in the SEC filing.

Compromised data included personally identifiable information in employee records of approximately 127 former and current clients, or approximately 0.7% of Paycom’s client base, the company reported.

On May 31, a vendor notified Paycom of a vulnerability in its MOVEit file transfer software, according to the SEC filing.

Paycom used MOVEit for “a limited set of secure file transfers supporting client services and with certain outside vendors supporting internal operations,” according to the SEC filing.

Paycom reported that it promptly deployed cybersecurity defenses, including patching the software according to the vendor’s published protocols and launching an internal investigation in partnership with outside independent cybersecurity forensic experts.

Paycom also reported, at the time of the filing, that there was no indication the company’s human resources and payroll software application was impacted.

There was no interruption to Paycom’s systems, services or business operations, the company reported.

