Parker Hannifin Data Breach Class Action

This class action describes Parker Hannifin Corporation as “a multibillion-dollar manufacturing company” and “a Fortune 250 engineering company…” But the complaint alleges that, despite the company’s size and sophistication, it failed to take adequate steps to protect the personally identifiable information (PII) and protected health information (PHI) of its current and former employees.

The Nationwide Class for this action is all persons Parker Hannifin identified as being among the individual affected by the data breach, including all those who were sent a notice of the data breach.

Parker Hannifin appears to understand the responsibilities that come with maintaining PII and PHI. The complaint quotes its Privacy Policy as saying, “Only the Personal Data that is necessary for a legitimate business reason or as required by applicable laws or regulations (the ‘Purpose’) should be collected and Processed. When the Purpose for the Personal Data has ended or is no longer relevant, the Personal Data should be deleted…”

The Privacy Policy also claims that the company takes specific security measures when transferring data: “Parker is committed to protecting the privacy and confidentiality of Personal Data when it is transferred and employs adequate safeguards and protections in any such transfer, including compliance with the EU-US (and the Swiss-US) Privacy Shield Framework.”

But the complaint alleges, “Between March 11 and March 14, 2022, a third party gained unauthorized access to [Parker Hannifin’s] computer systems and exfiltrated 419GB worth of documents containing the sensitive information of its current and former employees.”

On April 1, 2022, the ransomware group Conti posted a sample of the information online. “Upon information and belief,” the complaint alleges, “Conti demanded that [Parker Hannifin] pay a ransom for the safe return and deletion of the Private Information stolen from it. Upon information and belief, [Parker Hannifin] refused this demand.” Conti published the entire 419GB of data on April 20, 2022.

The complaint alleges that the information stolen included names, dates of birth, Social Security numbers, driver’s license and passport numbers, bank account numbers, health insurance plan information, and medical and clinical treatment information, among other things.

The complaint alleges that some of the employee information had been held in unencrypted form for as much as “several decades” whether or not they were still working for the company. The complaint claims, “There is no reasonable justification for [Parker Hannifin] to retain … Private Information in unencrypted form for such long periods of time.”

Notices about the data breach were not sent out to the individual victims, the complaint alleges, until around May 12, 2022.

The complaint alleges that Parker Hannifin “could have prevented this Data breach by properly securing and encrypting the Private Information…, by properly training its employees [to] recognize and prevent cybersecurity risks, and/or by destroying the data it no longer needed.”

Article Type: Lawsuit
Topic: Privacy
Tags: Exposing Private Information, Exposure to cyber crime, Your Privacy