Philadelphia Inquirer Hit with Data Breach Lawsuit: Exposed Employee Info at Risk?

Being able to trust an employer with your personal data is a fundamental part of the relationship, given the information and access you grant them on employment. You’d think an organization responsible for reporting the news, including the growing risks of data breaches, would be on top of security measures to protect staff’s data, but according to a new lawsuit that’s just not the case.

The Philadelphia Inquirer has been hit with a proposed class action lawsuit accusing it accusing it of failing to safeguard employee data during a major breach. The lawsuit alleges the Inquirer's negligence exposed the personal information of approximately 25,000 individuals.

Negligent Security Practices Put Sensitive Data at Risk

Sheree Mosley, the plaintiff, claims the Inquirer inadequately secured sensitive employee information, including Social Security numbers. This alleged negligence resulted in hackers accessing personal data during a breach last May.

The company, she says, violated the rights of affected people by:

• Failing to Implement Proper Security Measures: Mosley contends the company didn't have appropriate safeguards in place to protect employee data.
  
  
• Ignoring Data Security Protocols: The lawsuit alleges the Inquirer neglected to follow established protocols for data encryption and security.
  
  
• Providing Inadequate Breach Notification: Mosley claims the company's notification about the breach lacked crucial details, leaving victims uninformed about the hackers, vulnerabilities exploited, and steps taken to prevent future breaches.

Personally, Mosley says she has already experienced an increase in spam calls, texts, and emails.

What is at risk in a breach?

Typically data breaches are carried out by hackers seeking people’s personal information for financial gain, either to use or sell online. Because of that, victim’s of hacks can suffer from invasion of privacy on the least intrusive end to full blown identity theft.

In her lawsuit, Mosley argues that the 25,000 people affected by the breach now risk theft of their personal information, diminished value of that information, lost time associated with mitigating the issue, lost opportunity costs due to mitigation, misuse of data in spam communications, and ongoing risk of theft. 

“The information compromised in this data breach is impossible to ‘close’ and difficult, if not impossible, to change—Social Security number and name. This data demands a much higher price on the black market,” she argues in the lawsuit. 

She cites Martin Walter, senior director at cybersecurity firm RedSeal, as saying “compared to credit card information, personally identifiable information and Social Security numbers are worth more than 10x on the black market.”

What Could Have Been Done to Prevent This?

To prevent and detect cyber-attacks, the Philadelphia Inquirer could and should have implemented an awareness and training program, strong spam filters to prevent phishing emails, firewalls to block access to known malicious IP addresses, and operating systems, software, and firmware on devices, amongst other measures, Mosley argues in the class action.

The US Chamber of Commerce advises businesses to secure their technology by using firewalls, antivirus and antimalware tools, and virtual private networks (VPNs). Additionally, they recommend protecting passwords with password managers, passkeys, and multifactor authentication. Finally, educating employees on data protection through cybersecurity training is essential.

Data Breaches on the Rise in Media Companies

According to a Duane Morris report, the number of data breach class actions “exploded” in 2023, and they seem to be continuing into 2024. And the Philadelphia Inquirer isn’t the only news publication facing action. 

In January, the Florida-based Times Publishing Co., which owns the Tampa Bay Times, paid $950,000 to settle a class action lawsuit where it was accused of illegally sharing data on subscribers’ video-watching with Facebook without their knowledge or consent. In December 2023, the Minnesota-based Star Tribune Media Co. paid $2.9 million to settle a class action lawsuit alleging exactly the same.

Meanwhile, another type of communications company, AT&T, is facing a class action lawsuit accusing it of negligence and breach of contract after a huge data breach compromised the personal information of more than 70 million current and former AT&T customers. 

Mosley's lawsuit seeks to represent all individuals affected by the Inquirer's data breach. She seeks damages, injunctive relief, and legal fees associated with the case.

Case Details

• Lawsuit: Mosley v The Philadelphia Inquirer, PBC
• Case Number: 2:24-cv-02106-KSM
• Court: U.S. District Court for the Eastern District of Pennsylvania

Plaintiffs' Attorneys

• Benjamin F. Johns and Samantha Holbrook (Shub & Johns LLC)
• Gary M. Klinger (Milberg Coleman Bryson and Phillips Grossman, PLLC)