CHICAGO (CN) -South Carolina's cyber-security contractor, Trustwave, let hackers into the state tax system, compromising the personal information of 3.6 million South Carolinians, taxpayers claim in a federal class action.
Lead plaintiff Amber Strautins sued Trustwave Corp. for breach of contract, privacy invasion and negligence.
"Plaintiff and the other Class Members are taxpayers who filed tax returns (or had tax returns filed on their behalf) with the South Carolina Department of Revenue ('SCDOR') from 1998 to the present," the complaint states. "By filing tax returns with the SCDOR and paying their taxes, Plaintiff and the other Class Members entrusted Trustwave, a SCDOR cyber-security contractor, with the duty to protect their Social Security numbers, federal identification numbers, credit card and/or debit card numbers, tax returns and/or other personally identifiable information (collectively, 'Personally Identifiable Information' or 'PII') submitted in connection with filing their tax returns." (Parentheses in complaint.)
Strautins says the confidential identification of 3.6 million people and 650,000 businesses may have been compromised.
"Sometime during August 2012 and September 2012, hackers infiltrated and improperly accessed SCDOR computer systems containing Plaintiff's and the other Class Members' PII through an exposed portal on the SCDOR website and stole and compromised Plaintiff's and the other Class Members' PII (the 'Data Breach'). Defendant failed to properly safeguard and protect SCDOR's computer systems and, in the process, failed to safeguard and protect Plaintiff's and the other Class Members' PII," according to the complaint.
Strautins says Trustwave did not discover the security breach until at least a month after it occurred, and did not inform class members of the breach for weeks after it did know.
Citing a 2012 Identity Fraud Report released by Javelin Strategy & Research, Strautins claims that "individuals whose PII is subject to a reported data breach - such as the data breach at issue here - are approximately 9.5 times more likely than the general public to suffer identity fraud and/or identity theft. Moreover, there is a high likelihood that significant identity theft and/or identity fraud has not yet been discovered or reported and a high probability that criminals who may now possess Plaintiff's and the other Class Members' PII have not yet used the information but will do so later, or re-sell it."
Strautins seeks punitive damages for violation of the Fair Credit Reporting Act, negligence, invasion of privacy, and breach of contract.
She is represented by Ben Barnow with Barnow and Associates, with assistance from Richard Coffman in Beaumont, Texas.
Read the Top 8
Sign up for the Top 8, a roundup of the day's top stories delivered directly to your inbox Monday through Friday.