Milberg Data Breach Class Action Targets GWLM Accounting Firm

Another week, another Milberg data breach class action lawsuit filed, this time against a Maryland-based accounting firm that allegedly fell prey to an email phishing scam that exposed the personal information of more than 18,500 individuals.

Milberg attorneys Thomas Pacheco, David K. Lietz, and Gary Klinger filed the class action on March 28 in Maryland District Court. The lawsuit describes the data breach as “completely foreseeable” and seeks damages, civil penalties, punitive damages, and injunctive relief on behalf of anyone whose information was exposed in the cyberattack. Milberg data security lawyers are national leaders in the fields of cybersecurity, data breach litigation, and biometric data lawsuits.

About the GWLM Data Breach

Defendant Grandizio Wilkins Little & Matthews, LLP (GWLM) is a full-service accounting firm with a principal office located in Millersville, MD. GWLM offers tax and business services that include tax preparation, tax planning services, audits, strategic business planning, new business formation, and succession planning.

Accounting firms are particularly susceptible to cyberattacks because they maintain highly sensitive PII such as Social Security numbers and financial information.

In a notification dated January 14, 2022, GWLM informed clients of a “recent data security incident” that occurred on June 7, 2021 when GWLM discovered “unauthorized access” to an employee’s email account. GWLM says that it “immediately engaged” cybersecurity experts to investigate the incident. Upon the completion of the investigation, GWLM learned that the following customer information may have been exposed in the data breach:

• Name
• Social Security number
• Medical information
• Driver’s license information
• Financial account information
• Payment card information

Information provided by state attorneys general indicates that an estimated 18,515 individuals from across the country had their personally identifiable information (PII) compromised in the breach.

About The Milberg Data Breach Class Action

GWLM states on its website that “Security is very important to us.” The company assures clients that “your data is protected in extremely secure environments” and that its Client Portal is “the Most Secure Client Portal available on the market.”

However, while GWLM has been vague about the mechanism of the cyberattack it suffered, the attack appears to have come not via its Client Portal, but via an email phishing attack, which Milberg calls, “the most common and easily thwarted form of cyberattack” in its class action complaint.

GWLM failed to take adequate measures to protect its clients’ PII, waited more than seven months to disclose the data breach after it was discovered, and has been vague about the details of the attack, Milberg’s lawsuit claims.

Citing research from Verizon, Milberg notes that more than 90% of all cybersecurity attacks that result in a data breach begin with a phishing attack. Furthermore, Milberg points out that accounting firms are particularly susceptible to cyberattacks because they maintain highly sensitive PII such as Social Security numbers and financial information. Attacks against the financial sector are up substantially, and financial services companies like GWLM typically feature among the top five sectors targeted by cybercriminals.

Not only did GWLM fail to take adequate measures to protect its clients’ PII, Milberg claims, but it waited more than seven months to disclose the data breach after it was discovered. Even worse, the complaint states, GWLM has been vague about the nature of the unauthorized access and what PII was involved.

“This ‘disclosure’ amounts to no real disclosure at all, as it fails to inform Plaintiff and Class Members what information belonging to them was affected,” according to the complaint.

The Lead Plaintiff and Proposed Class

The lead plaintiff is a Delaware resident who received a data breach notification from GWLM and claims that he has been affected by the cybersecurity incident in the following ways:

• Loss of time due to hours spent monitoring his accounts and credit scores as well as researching how he has been impacted by the data breach
• Lost opportunity costs associated with attempting to mitigate the consequences of the data breach
• Emotional distress, including anxiety and increased concerns for the loss of his privacy
• Damages to and diminution of the value of his PII, a type of intangible property
• Imminent and impending injury stemming from his substantially increased risk of fraud, identity theft, and misuse of his PII

The Milberg data breach class action defines a preliminary class consisting of: All persons GWLM identified as being among those individuals impacted by the Data Breach, including all who were sent a notice of the Data Breach.

Milberg: A National Leader in Data Security Litigation

Milberg data breach attorneys have a proven track record of holding companies accountable for failing to protect their customers’ data and privacy rights, including Anthem, Capital One, Equifax, Facebook, Google, and Yahoo. We work at the cutting edge of technology and law, helping to create meaningful checks and balances against technology and the companies that wield it.

For the latest firm news, follow us on Facebook and Twitter. To discuss a possible violation of your data privacy rights, please contact us.