Charlotte-based Truist Bank is facing 2 federal class action lawsuits following an October 2023 data breach, which claim the bank didn’t adequately protect individuals’ personal identifying information.
The complaints were filed by Stephen Ruffin and Marshall Boyd in the US District Court for the Western District of North Carolina earlier in June.They’re suing the bank for negligence, breach of implied contract, and unjust enrichment. Boyd is also suing for violations of the Florida Deceptive and Unfair Trade Practices Act.
More specifically, the plaintiffs allege that the bank failed to follow standard security protocols that might have prevented the cyberattack and didn’t promptly and accurately notify its customers about the breach.
According to their complaints, Truist Bank started notifying affected clients about the data breach in May, nearly 6 months after it happened.
The notice letter, sent by Financial Business and Consumer Solutions on behalf of Truist Bank, told customers that an unauthorized third party had accessed “a small number” of Truist employee accounts.
The letter explained that the “unauthorized party used these accounts to obtain the information of some Truist clients” and compromised information included names, dates of birth, financial account numbers, loan transaction amounts, and loan balances.
“At that time, our cybersecurity team promptly took steps to assess the intrusion and contain the unauthorized access,” the letter added.
Ruffin and Boyd noted in their complaints that the letter was missing important information as well, like the date the breach was detected, the vulnerabilities that were exploited, the identity of the cybercriminals, and the measures taken to prevent future breaches.
“This ‘disclosure’ amounts to no real disclosure at all, as it fails to inform, with any degree of specificity, plaintiff and class members of the data breach’s critical facts,” the plaintiffs argued. “Without these details, plaintiffs’ and class members’ ability to mitigate the harms resulting from the data breach is severely diminished.”
The complaints claim that the bank “knew or should have known that the [personal identifiable information] that they collected and maintained would be targeted by cybercriminals.”