Canon Data Breach Brings Class Action Lawsuit
Ongoing Repercussions of Canon Data Breach
Former and current Canon employees are bringing a class action lawsuit against the company for the data breach incident from August 2020. According to The National Law Review, the plaintiffs “allege that Canon was negligent in protecting employee data and violated state trade practice laws by failing to guard against such an attack. The plaintiffs further allege that Canon failed to notify the affected individuals in a timely manner.”
In early August, Canon confirmed they had suffered a ransomware attack that occurred between July 20 and August 6th. Bleeping Computer reported the likely culprit to be MAZE, a now supposedly shuttered ransomware group specializing in double extortion. In mid-August, it became clear Canon had not paid the ransom as MAZE began releasing 5% of data allegedly stolen from Canon. The published files did not appear to contain more sensitive or personal data.
It wasn’t until November that Canon admitted the seriousness of this data breach and alerted those affected. According to Security Week, the compromised files contained information belonging to current and former employees (along with their beneficiaries and dependents) from 2005 to 2020. This information includes names, dates of birth, Social Security numbers, driver’s license numbers, government ID numbers, electronic signatures, and more.
Canon notified their former and current employees in a letter, offering a free one-year membership to Experian’s® IdentityWorks℠ credit monitoring service. After their year is up, Canon’s former and current employees will presumably need to shell out at least $99.99/year themselves to deal with the long-term effects of this breach.
For this reason, the lawsuit seeks to “recover damages and other relief” including reimbursement and continued funding for “out-of-pocket costs” such as credit monitoring subscriptions. The also seek other measures such as improved data security and annual security auditing “to mitigate future harms that are certain to occur in light of the scope of this breach.”