Class Action Alleges Goodwill Kept Data Breach Victims ‘in the Dark’ for 7 Months

Goodwill Industries of Greater New York and Northern New Jersey stores a “litany” of highly sensitive personal identifiable information (PII) about its current and former employees and applicants, but it lost control over that data when cybercriminals “infiltrated its insufficiently protected computer systems in a data breach,” alleged plaintiffs Wendy Booker and Francis Mascaro in a class action Monday (docket 1:23-cv-04764) in U.S. District Court for Eastern New York in Brooklyn. Cybercriminals were able to breach Goodwill’s systems because it failed “to adequately train its employees on cybersecurity and failed to maintain reasonable security safeguards or protocols,” alleged the complaint. New York City resident Booker and Finley, Ohio, resident Mascaro were notified of the breach May 27, it said. The actual breach occurred Oct. 12 and lasted 17 days or more, “giving criminals plenty of time to seize” the exposed PII, it said. By keeping Booker and Mascaro and their potential class members “in the dark” for more than seven months, Goodwill deprived them “of the opportunity to try and mitigate their injuries in a timely manner,” it said.