Truist Bank sued over data breach

Two federal class action lawsuits have been filed against Truist Bank over a cyberattack in October that exposed some clients’ personal information.

Plaintiffs Stephen Ruffin and Marshall Boyd, in two separate complaints filed in the US District Court for the Western District of North Carolina earlier in June, claimed that Truist Bank failed “to properly secure and safeguard sensitive information of its customers.”

The Charlotte-based bank, one of the largest commercial banks in the country, allegedly did not follow standard security procedures that could have prevented the cyberattack and did not inform its customers of the breach in a timely and accurate manner.

According to the lawsuits, Truist Bank began informing affected clients of the data breach in May, almost six months after the breach occurred around October 27 of the previous year.

The notice letter, sent on behalf of the Truist Bank by Financial Business and Consumer Solutions, said that an unauthorized third party gained access to “a small number” of Truist employee accounts.

“This unauthorized party used these accounts to obtain the information of some Truist clients. At that time, our cybersecurity team promptly took steps to assess the intrusion and contain the unauthorized access,” the letter read.

It said the affected information included names, date of birth, financial account number, loan transaction amounts, and loan balance.

According to both Ruffin and Boyd, the letter omitted the identity of the cybercriminals that infiltrated that bank’s systems, the date when the breach was detected, the exploited vulnerabilities, and the remedial measures undertaken to ensure such a breach does not occur again.

“This ‘disclosure’ amounts to no real disclosure at all, as it fails to inform, with any degree of specificity, plaintiff and class members of the data breach’s critical facts,” the plaintiffs said.

“Without these details, plaintiff’s and class members’ ability to mitigate the harms resulting from the data breach is severely diminished,” they claimed.

Cybernews has contacted Truist Bank for comment.

Both Ruffin, from Georgia, and Boyd, from Florida, said in their complaints that Truist Bank “knew or should have known that the [personal identifiable information] that they collected and maintained would be targeted by cybercriminals” in light of similar breaches against T-Mobile and 23andMe among others.

Instead, the bank “maintained, used, and shared the [information] in a reckless manner,” they said. As a result of the breach, they said they suffered “concrete injuries” and are suing for negligence, breach of implied contract, and unjust enrichment. Boyd is additionally suing for violations of the Florida Deceptive and Unfair Trade Practices Act.