Cyberattack and Data Breach Alleged at RI Private Equity Firm in Federal Lawsuit
GoLocalProv News Team
Cyberattack and Data Breach Alleged at RI Private Equity Firm in Federal Lawsuit
Plaintiff Hayley Bourque of Melrose, Massachusetts, alleges that she received a letter on January 12, 2024 from Nautic Partners, LLC stating that the company "discovered unauthorized access to our network occurred between February 23, 2023 and April 5, 2023."
A middle market private equity firm, Nautic Partners, on its website, says it focuses on "three specialties while supporting the long-term value creation of our portfolio companies," noting the sectors are "healthcare, services, and industrials." In 2021, mega Wall Street firm Blackstone took a major stake in Nautic.
GET THE LATEST BREAKING NEWS HERE -- SIGN UP FOR GOLOCAL FREE DAILY EBLASTIts founders include Bernie Buonanno, III -- the brother of gubernatorial candidate Helena Foulkes -- and Habib Giorgi, one of the members of the group who purchased the Pawtucket Red Sox from Ben Mondor's widow and moved the team to Worcester.
At the center of the case are questions about how an alleged data breach at a private equity firm in Providence could have potentially impacted Bourque's Electronic Benefits Card (EBT).
Bourque, in the lawsuit, says she does not know how or when Nautic Partners obtained her personal information -- and "she was not familiar with Defendant before receiving the Notice Letter."
According to the lawsuit, Nautic Partners, in the letter received by Bourque, wrote, "Based on our comprehensive investigation and manual review of files that were potentially accessed or removed from our network, which concluded on December 29, 2023, we discovered that your full name and the following were contained in the aforementioned files: Social Security number."
Bourque -- who is represented locally by Vincent Green and well as Washington, DC counsel -- says she then began "experiencing an increase in spam calls, texts, and/or emails...[and] multiple fraudulent charges."
Now, attorneys are alleging there is a class action with "at least 100 putative Class Members."
"The aggregated claims of the individual Class Members exceed the sum or value of $5,000,000 exclusive of interest and costs, and members of the proposed Class, including Plaintiff, are citizens of states different from Defendant," according to the lawsuit.
The lawsuit alleges that "on or about January 12, 2024, Defendant began sending Plaintiff and other Data Breach victims an untitled letter (the "Notice Letter")" informing them of the following:
What Happened?
We discovered unauthorized access to our network occurred between February 23, 2023 and April 5, 2023.
What We Are Doing.
We immediately launched an investigation in consultation with outside cybersecurity professionals who regularly investigate and analyze these types of situations to analyze the extent of any compromise of the information on our network.
What Information Was Involved?
Based on our comprehensive investigation and manual review of files that were potentially accessed or removed from our network, which concluded on December 29, 2023, we discovered that your full name and the following were contained in the aforementioned files: Social Security number.
The lawsuit goes on to state:
"Omitted from the Notice Letter were the date that Defendant detected the Data Breach, the details of the root cause of the Data Breach, the vulnerabilities exploited, and the remedial measures undertaken to ensure such a breach does not occur again. To date, these critical facts have not been explained or clarified to Plaintiff and Class Members, who retain a vested interest in ensuring that their PII remains protected."
According to attorneys representing Bourque -- the plaintiff -- she, along with her "PII" -- personally identifying information -- has already been impacted.
"Plaintiff and Class Members have suffered injury as a result of Defendant’s conduct. These injuries include: invasion of privacy; theft of their PII; lost or diminished value of PII; lost time and opportunity costs associated with attempting to mitigate the actual consequences of the Data Breach; lost opportunity costs associated with attempting to mitigate the actual consequences of the Data Breach; (vi) experiencing an increase in spam calls, texts, and/or emails; Plaintiff experiencing multiple fraudulent charges, for nearly $1000, to her Eastern Bank debit card, in or about March 2023; Plaintiff experiencing fraudulent charges, for approximately $400, to her Food Stamp card, in or about March 2023; statutory damages; nominal damages; and the continued and certainly increased risk to their PII, which: (a) remains unencrypted and available for unauthorized third parties to access and abuse; and (b) remains backed up in Defendant’s possession and is subject to further unauthorized disclosures so long as Defendant fails to undertake appropriate and adequate measures to protect the PII," according to the lawsuit.
"Plaintiff and Class Members "may also incur out of pocket costs, e.g., for purchasing credit monitoring services, credit freezes, credit reports, or other protective measures to deter and detect identity theft," the lawsuit continues.
Nautic Partners is being sued on two counts -- negligence and unjust enrichment.
"The PII compromised in the Data Breach was exfiltrated by cyber-criminals and remains in the hands of those cyber-criminals who target PII for its value to identity thieves," states the lawsuit. "The Data Breach was a direct result of Defendant’s failure to implement adequate and reasonable cyber-security procedures and protocols necessary to protect consumers’ PII from a foreseeable and preventable cyber-attack."
Nautic Partners did not respond to request for comment.