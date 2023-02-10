HanesBrands Inc. is facing federal lawsuits in California and North Carolina over the May ransomware attack that cost the Winston-Salem manufacturer about $100 million in global sales.

The N.C. lawsuit, filed in federal Middle District Court on Oct. 13, has Nicole Toussaint as the plaintiff on behalf of current and former employees. The California lawsuit Roman vs. HanesBrands was filed Oct. 7 in the Central District.

HanesBrands disclosed in a May 31 regulatory filing that it began experiencing the ransomware attack on May 24. Toussaint said she wasn’t notified of the data breach until Aug. 16.

Toussaint lives in Maine and was employed as an assistant manager from 2012 through 2018.

Both lawsuits allege the breach exposed HanesBrands employees and former employees to potential identity theft, and that the company didn’t have adequate safety measures.

Ransomware is a type of malicious software employed by hackers that can block access to a computer system until a ransom is paid. In recent years, the targets have shifted from individuals to governments, companies, nonprofits and health care systems.

HanesBrands did not say at that time whether the attack affected only internal operations, or whether the information held hostage affected employees and customers.

The suits ask for compensatory, punitive and other damages, as well as injunctive relief that requires HanesBrands “to strengthen its data security systems and monitoring procedures, submit to future annual audits of those systems, and immediately provide adequate credit monitoring” for up to 10 years.

HanesBrands said it is “vigorously defending these matters and believe the cases are without merit.”

The main allegation is that the ransomware attack contributed to a data breach of “certain highly sensitive personal and protected health information” that included name, address, date of birth, financial account information and government-issued identification numbers, and other health and employment accounts.

HanesBrands said the ransomware attack affected its global supply chain network and ability to fulfill customer orders for about three weeks.

The ransomware attack resulted in a $35 million reduction in adjusted operating profit for the second quarter of fiscal 2022, while lowering adjusted earnings per share by 8 cents.

N.C. lawsuit claims

Toussaint is alleging “negligence, breach of implied contract, invasion of privacy, and unjust enrichment.”

The complaint alleges the ransomware attackers “intentionally targeted” HanesBrands for employee information that could be sold for use on the “dark web.”

Toussaint claims she has received at least three suspicious spam emails per week since the data breach.

The lawsuit claims the ransomware attack was successful “as a direct result of defendant’s failure to implement adequate and reasonable cyber-security procedures and protocols necessary to protect individuals’ private information with which it was entrusted for employment or other business purposes.”

“Had HanesBrands properly monitored its property, it would have discovered the intrusion earlier.

“As a result, the plaintiff and class members have been exposed to a heightened and imminent risk of fraud and identity theft ... and incur out-of-pocket costs” for credit monitoring and other credit services.

The lawsuit claims HanesBrands has “merely offered identity monitoring services for a paltry 24 months” through Experian IdentityWorks.

The plaintiff claims HanesBrands failed to follow Federal Trade Commission and industry standards for data protection.

The California plaintiff is alleging “negligence, breach of implied contract, unjust enrichment, breach of implied covenant of good faith and fair dealing, unfair business practices under the California Business and Professions Code, and violations of the California Confidentiality of Medical Information Act.

California has a low bar for proving violations of business and professions code, as well as false advertising and breach of contract.

HanesBrands response

HanesBrands said it “does not expect any of these claims, individually or in the aggregate, to have a material adverse effect on our consolidated financial position or results of operations.”

“However, at this early stage in the proceedings, we are not able to determine the probability of the outcome of these matters or a range of reasonably expected losses, if any.”

HanesBrands said it “maintains insurance, including coverage for cyber-attacks, subject to certain deductibles and policy limitations, in an amount that we believes appropriate.”

In the May 31 ransomware disclosure, HanesBrands said it had “activated its incident response and business continuity plans designed to contain the incident.”

The manufacturer said at the time it had notified law enforcement and was cooperating with the investigation in addition to engaging attorneys, a cybersecurity forensic firm and other professionals to deal with the response.