ABA faces lawsuit over data breach
A would-be class action lawsuit has been filed against the American Bar Association for an alleged failure to safeguard members' data that was exposed in a security breach.
The ABA notified members April 20 that the breach had exposed usernames and “hashed and salted” passwords that may have been used to access some online accounts.
Hashing and salting “is a process by which random characters are added to the plain text password, which is then converted on the ABA systems into cybertext,” the ABA explained in its online notice. Plain text passwords were not exposed.
The exposed information was for member logins to the old ABA website before 2018 and the ABA Career Center since 2018. The ABA said it had no information that the members’ information was misused.
The suit’s name plaintiff, Tiffany Troy, alleged that the ABA “grossly failed to comply with security standards.” The law firm where she is of counsel, Troy Law, filed the suit.
The suit also said the ABA “failed to uncover and disclose the extent of the breach and notify its affected customers of the breach in a timely manner.”
The ABA said it retained cybersecurity experts to investigate after the association “observed unusual activity on its network” March 17. The investigation determined that the unauthorized third party gained access to unauthorized information beginning around March 6. On March 23, the investigation found that the third party had obtained the usernames and hashed and salted passwords.
The suit was filed in U.S. District Court for the Eastern District of New York. It seeks to represent all persons in the United States who registered an account with the ABA, excluding the ABA and its employees, officers, agents and directors.
The suit alleges breach of an implied contract to safeguard data and violation of state consumer fraud laws.
The ABA does not comment on ongoing litigation, according to Carol Stevens, associate executive director of ABA Media Relations & Strategic Communications. She previously confirmed to the ABA Journal that 1.5 million members’ accounts were affected in the data security breach.