A federal court has given preliminary approval of a proposed HanesBrands Inc. settlement of a lawsuit tied to a May 2022 ransomware attack.
Part of the settlement involves providing some current and former employees the option of two years' worth of credit and identity monitoring, up to a $50 Hanes store credit and $6.99 in shipping costs, or a cash payment of $35 in a proposed settlement of a federal lawsuit tied to a May 2022 ransomware attack.
HanesBrands has agreed to pay up to $100,000 for all documented out-of-pocket expenses.
Separate lawsuits were filed in February and April 2023 in California and North Carolina on behalf of 75,000 current and former employees. The suits were combined in the Middle District of N.C. with Nicole Toussaint as the lead plaintiff.
HanesBrands listed in a third-quarter regulatory report posted Friday that a federal judge for the Middle District of N.C. gave preliminary approval of the settlement on Nov. 5. A hearing on final approval of the order is set for March 10.
"We currently anticipate the cost of the proposed settlement to be between $1 million and $2 million," the manufacturer said.
Both lawsuits allege the ransomware attack exposed current and former employees to potential identity theft, and that the company didn't have adequate safety measures in effect.
Ransomware is a type of malicious software employed by hackers that can block access to a computer system until a ransom is paid. In recent years, the targets have shifted from individuals to governments, companies, nonprofits and health care systems.
The lawsuit's main allegation is that the ransomware attack contributed to a data breach of "certain highly sensitive personal and protected health information" that included name, address, date of birth, financial account information and government-issued identification numbers, and other health and employment accounts.
The complaint alleges the ransomware attackers "intentionally targeted" HanesBrands for employee information that could be sold for use on the "dark web."
Those expenses can include certain internet and phone charges, and the cost of obtaining credit reports, credit monitoring and fraud resolution services.
HanesBrands also agreed to: implement data security measures; cover the cost of notifying affected current and former employees; administrative costs; service award payments for the lead plaintiffs if awarded by the court; and up to $475,000 in attorney fees and expenses.
"The settlement is a strong result for the settlement class, securing valuable benefits while eliminating the risks of continued litigation," according to the lawsuit.
HanesBrands has not commented on the proposed settlement. When the federal lawsuits were filed, HanesBrands said it is "vigorously defending these matters and believe the cases are without merit."
Background
HanesBrands said in a May 31, 2022, regulatory filing that it began experiencing the ransomware attack on May 24, 2022. It said it experienced at least a $100 million loss in global sales from the attack.
Toussaint said she wasn't notified of the data breach until Aug. 16. She lives in Maine and was employed as an assistant manager by HanesBrands from 2012 through 2018.
HanesBrands did not say at that time whether the attack affected only internal operations, or whether the information held hostage affected employees and customers.
HanesBrands said the ransomware attack affected its global supply chain network and ability to fulfill customer orders for about three weeks.
The manufacturer said at the time it had notified law enforcement and was cooperating with the investigation in addition to engaging attorneys, a cybersecurity forensic firm and other professionals to deal with the response.
HanesBrands said it "took extraordinary and immediate action to re-secure the implicated data set." That included disclosing that it reached a payment agreement of an undisclosed amount to the ransomware attacker.
In exchange, the attacker agreed to not disseminate the information and to delete the information from its systems with confirmation provided. HanesBrands said it was provided evidence on June 3, 2022, that those actions had occurred.
In November, the manufacturer disclosed it received at least $20.5 million in insurance compensation in 2023 for the attack.
336-727-7376
@rcraverWSJ
Love 0 Funny 0 Wow 0 Sad 0 Angry 0
The business news you need
Get the latest local business news delivered FREE to your inbox weekly.
Sign up! * I understand and agree that registration on or use of this site constitutes agreement to its user agreement and privacy policy. Richard Craver Author email Follow Richard Craver Close Get email notifications on {{subject}} daily! Your notification has been saved. There was a problem saving your notification.
{{description}}
Email notifications are only sent once a day, and only if there are new matching items.
Save Manage followed notifications Close Followed notifications Please log in to use this feature Log In Don't have an account? Sign Up Today