Milberg Files Data Breach Class Action Lawsuit Against Creative Services, Inc.

Attorneys for Milberg Coleman Bryson Phillips Grossman PLLC (Milberg) have filed a data breach class action lawsuit against Creative Services, Inc. (CSI) over a data breach that affected more than 164,000 individuals. The lawsuit seeks damages, restitution, and injunctive relief for eligible class members. Anyone whose personal information was compromised in the CSI data breach may be able to join the lawsuit, which is pending class certification in Massachusetts District Court.

Complaint: CSI Data Breach Went Undetected for Two Months

CSI is a background check and security screening solutions company based in Mansfield, Massachusetts. It performs security authorizations for contracting companies in industries that include biotechnology, cannabis, energy, financial services, healthcare, higher education, life sciences, and pharmaceuticals.

“CSI failed to monitor their networks to ascertain whether there were any intrusions, and failed to detect an intrusion for over two months,” states Milberg’s class action lawsuit.

On its website, CSI describes itself as, “The most trusted partner in background screening and security consulting.” In its own words, “What began as a small private investigation firm has evolved into a global, full-service employment screening and security consulting firm, serving corporate, nuclear, and government market sectors.”

Despite its “45 years of service you can trust,” at least 164,673 people had their trust violated and their privacy rights obscured due to CSI’s failure to maintain proper data security protocols, according to a Milberg class action complaint filed on March 22, 2022.

CSI admitted to the data breach in consumer notification letters it sent in late February 2022—nearly a full month after it learned of the data breach on January 25, 2022. The Attorney General of Maine reports that the data breach occurred on November 23, 2021.

As a result, “CSI failed to monitor their networks to ascertain whether there were any intrusions, and failed to detect an intrusion for over two months,” states the complaint. CSI then, “sat on the information for nearly a month.” Delaying notification to data breach victims “allowed CSI to dodge responsibility and inevitably worsened the victims’ chances at weathering the storm that CSI created,” the complaint adds.

Compounding the issue, CSI suffered a previous data breach and had released a notification about it just months prior, on September 27, 2021.

Social Security, Driver’s License Numbers Among Compromised Information

The Maine Secretary of State notes that information stolen in the CSI data breach includes financial account numbers or credit/debit card numbers in combination with the security code, access code, password, or PIN for the account. In its consumer notification letter CSI states that information involved in the breach may include names, dates of birth, Social Security numbers, and/or driver’s license numbers. The lead plaintiff states that their email address was compromised as well.

This stolen information could be released on the “cyber black market” and lead to an increased risk of fraud and identity theft for years to come, Milberg’s lawsuit points out. Specifically, identity thieves can use SSNs to apply for credit lines, file fraudulent tax returns, and apply for a job using a fake identity. Stolen driver’s license numbers are also highly valuable to thieves, allowing them to manufacture fake IDs, falsely verify identification, and engage in phishing attacks. Such fraudulent activity could take years for victims to detect and, once detected, impose significant costs to correct.

Lead Plaintiff and Putative Class

The plaintiff in the class action lawsuit, Colorado resident Ryosuke Kondo, says that he received a data breach notification letter from CSI on February 23, 2022. Following the breach, a cybercriminal fraudulently opened a Best Buy account in Kondo’s name. Kondo has suffered not only actual fraud from the data breach, but going forward anticipates spending considerable time and money trying to mitigate and address harms caused by the data breach, including increased risk of identity theft and fraud.

Kondo has proposed a class consisting of: All persons who utilized CSI’s services, whose Private Information was maintained on CSI’s system that was compromised in the Data Breach, and who were sent a notice of the Data Breach.

If you received a data breach notification letter from CSI, you may automatically be a class member if and when the lawsuit is certified by the court.

The lawsuit seeks on behalf of Kondo and class members compensatory damages, reimbursement for out of pocket costs required to deter and detect identity theft, and injunctive relief, including improvements to CSI’s data security systems and protocols, future annual audits, and credit monitoring services. It asserts claims for negligence, unjust enrichment, and violations of the Massachusetts Consumer Protection Law.

Milberg pioneered federal class action litigation and continues to be a national leader in class actions and data breach lawsuits. For the latest firm news, follow us on Facebook and Twitter. To discuss a possible violation of your consumer rights, please contact us.