Posted On February 4, 2022 Consumer Privacy & Data Breaches
February 4, 2022 – Recently, customers and other parties associated with the apparel company PUMA North America, Inc., learned that a workforce and human resource management firm that PUMA contracts with was the victim of a ransomware attack. As a result of the PUMA data breach, the personal information of more than 6,600 individuals was compromised. While neither PUMA nor UKG, Inc., the target of the cyberattack, cannot confirm which consumers’ data was viewed or stolen, UKG, Inc. confirmed that some files were stolen from the company’s network and that they contained certain individuals’ names and Social Security numbers.
News of the PUMA/UKG data breach just broke, and details of the event are still sparse. However, the data breach lawyers at Console & Associates, P.C. are actively investigating the security breach. If an investigation reveals that PUMA or UKG failed to ensure the safety of consumer data leading up to the breach, the companies may be liable through a data breach class action lawsuit.
Cyberattacks such as this one are increasingly common in today’s society. Today more than ever, businesses store data electronically. While there are certainly many ways to protect against cyberthreats, hackers have ways of identifying vulnerabilities in data security systems, which they can then exploit.
When a hacker breaches a company’s computer systems, they can steal sensitive consumer information from the compromised systems. While there is no guarantee that this information will be used for criminal purposes, that is not an uncommon occurrence. Thus, as a matter of course, after a company experiences a data breach, they will inform anyone whose information was compromised. Despite the risks data breaches present, many consumers fail to take precautionary measures to protect themselves from identity theft and other frauds.
Those impacted by a data breach should be sure they understand what happened, what their rights are, and how they can pursue them.
When you allowed PUMA access to your personal data, you trusted the company to keep your sensitive information safe. You may not have been aware that PUMA would share your information with another company. However, even if you were, you’d assume that PUMA and the companies it trusts would take the necessary precautions to keep your data secure. Thus, news of the PUMA/UKG data breach raises some very serious questions about the companies’ data security measures, and whether there was more the businesses could have done to prevent this type of cyber-attack.
Regardless of the industry, all businesses have a legal obligation to protect consumer information in their possession. Although creating and maintaining a data security system is costly, this is a necessary expense given the frequency with which cyberattacks occur.
Consumers whose personal data was compromised in a data breach can pursue legal action against a company that misused or mishandled their information. However, the investigation into the PUMA breach is only in its beginning phases. For that reason, it is too early to tell if PUMA North America, Inc. or UKG, Inc. was legally responsible for the breach. However, our data breach attorneys are investigating the PUMA/UKG data breach to determine the potential legal remedies of those affected.
If you have questions about your ability to pursue a data breach class action lawsuit against PUMA or UKG, contact a data breach attorney as soon as possible.
If you receive a data breach notification from PUMA North America or UKG in the coming weeks, it means your personal data was among that which was compromised in the recent cyberattack. It also means a cybercriminal had access to—and may have stolen—your personal data. Given the risks involved, it is important you remain vigilant by taking the following steps:
While placing a credit freeze on your accounts may initially seem like a drastic measure, according to the identity Theft Resource Center (“ITRC”), doing so is the “single most effective way to prevent a new credit/financial account from being opened.” However, IRTC reports that just 3% of consumers whose information is leaked place a freeze on their accounts.
PUMA North America, Inc. is an apparel company and division of the larger PUMA SE company. PUMA North America specifically focuses on sports apparel and equipment. PUMA SE was founded in 1948 and has 377 smaller companies under its corporate umbrella. PUMA North America alone has 2,294 employees and generates more than $681 million in annual revenue. The larger PUMA SE company is based in Herzogenaurach, Germany, and brings in approximately 5.23 billion Euros in annual sales.
According to an official notice filed by UKG, Inc., a workforce and human resource management company that PUMA works with, began experiencing service interruptions across some of its cloud-based systems on December 11, 2021. Evidently, PUMA provided UKG, Inc. with certain consumer data due to the companies’ relationship and the services UKG provided for PUMA.
Once UKG, Inc. learned of the possible cyberattack, it initiated an internal investigation, during which the company learned that it was the victim of a ransomware attack. Further investigation revealed that, earlier in 2021, a cybercriminal gained access to the company’s servers, removed certain data, and then encrypted the files.
Upon learning of the extent of the security breach, UKG then reviewed the affected files to determine what information was compromised. On January 7, 2022, the company confirmed that the information may have included the names and Social Security numbers of some parties that had provided PUMA North America with their information. On January 10, 2022, UKG informed PUMA of the breach. According to one source, there may be as many as 6,632 individuals who were affected by the breach.
On February 3, 2021, UKG began sending out data breach notification letters to all individuals whose information was contained in the affected files.
Below is a portion of the initial data breach letter issued by UKG, Inc. (a sample of the complete notice sent to consumers can be found here):
UKG Inc., and its affiliates and subsidiaries (collectively, “UKG”, “Kronos” or “we”), is a workforce and human resource management services company that provides services to PUMA North America, Inc. (“PUMA”). We place a high value on maintaining the privacy and security of the information we maintain for our customers. Regrettably, this letter is to inform you that we were recently the victim of a ransomware attack that involved some of your personal information, which was provided to us in connection with the services we provide to PUMA. This letter explains the incident, the measures we have taken in response and the steps you can take.
What Happened? On December 11, 2021, we began experiencing service interruptions in some of our cloud- based systems. Immediately upon discovering that we were experiencing a potential security incident, we took steps to secure the affected environment. Shortly thereafter, we determined that we were the victim of a ransomware attack. While our investigation of this matter is ongoing, we have determined that a malicious actor or actors accessed the cloud-based environment earlier in 2021, stole data from that environment and encrypted the environment. Since the attack was discovered, Kronos has been conducting a comprehensive review of the impacted environment to determine whether any individual’s personal information was subject to unauthorized access or acquisition. On January 7, 2022, Kronos confirmed that some of your personal information was among the stolen data. We notified PUMA of this incident on January 10, 2022.
What Information Was Involved? The personal information involved included your [Extra2].
What We Are Doing? Data privacy and security are among our highest priorities, and we have extensive measures in place to protect information entrusted to us. Upon discovering the incident, we immediately took steps to reduce the risk to customers and the data in our systems. We are working with leading cybersecurity experts and have notified the authorities. To help prevent similar incidents from happening in the future, we have implemented and are continuing to implement additional procedures to further strengthen the security of our IT system environments, including expanding the scanning and monitoring program of these environments.
What You Can Do? We encourage you to remain vigilant against incidents of identity theft and fraud, to review your account statements, and to monitor your free credit reports for suspicious activity and to detect errors. Enclosed with this letter are some steps you can take to protect your information. At this time, we have no evidence that any personal information has been used inappropriately. However, as a measure of added security and to help protect your identity, we are offering a complimentary 24-month membership to Experian’s® IdentityWorksSM. This product provides you with services including credit monitoring, identify restoration, and identity theft insurance. To activate your membership and start monitoring your personal information please follow the steps below: