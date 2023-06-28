Snack giant Mondelez is being sued by workers who had their personal information, possibly including social security numbers, exposed by a law firm it hired.

Mondelez, the company that makes Oreo cookies and Ritz crackers, informed 51,110 current and former employees earlier in June that a cyberattack on Bryan Cave Leighton Paisner LLP's network earlier this year had exposed their personal data.

According to a letter Mondelez sent to affected employees on June 15, the law firm detected "unauthorized access to its systems" on February 27, including an area it used to store customer files. The access occurred from February 23 until March 1, and also March 24, the letter said.

The class action complaint, filed on June 23, accuses Mondelez Global LLC of betraying the trust of current and former employees "by failing to properly safeguard and protect their personal identifiable information and thereby enabling cybercriminals to steal such valuable and sensitive information," according to a copy of the lawsuit obtained by Newsweek.

It also accuses Mondelez of delaying notification, saying affected individuals were not informed about the breach until June 15 despite Mondelez knowing about it for months.

Oreo Cookies are seen May 13, 2003 in San Francisco. Mondelez workers have filed a lawsuit after their personal information was exposed in a data breach. Justin Sullivan/Getty

The lawsuit says the plaintiff, Daniel Berndt, and more than 100 class members are seeking "appropriate monetary relief, including compensatory damages, punitive damages, attorney fees, expenses, costs, and such other and further relief as is just and proper."

The amount in controversy exceeds $5 million, according to the suit. It notes that Mondelez is one of the world's largest snack companies and that its parent company, Mondelez International, reported global net revenues of about $31 billion in 2022.

It states that identity theft causes tens of billions of dollars of losses to victims in the United States every year.

A spokesperson for parent company Mondelez International declined to comment on the pending litigation but told Newsweek via a statement that the company "took appropriate steps once we were notified about this situation, and we are continuing to work with our partners to provide impacted employees with appropriate assistance."

The multinational said an investigation determined that the personal information stolen in the data breach may include those individuals' social security numbers, first and last names, addresses, date of birth, marital status, gender, employee identification number, and Mondelez retirement and/or thrift plan information.

The lawsuit was filed in the United States District Court for the Northern District of Illinois. Mondelez Global LLC is based in Illinois and employs "a significant number" of the class members in this district, according to the lawsuit, though some reside in other states.

The complaint alleges that Mondelez failed to take the necessary precautions required to safeguard private information.

"Cybercriminals obtained everything they need to commit identity theft and wreak havoc on the financial and personal lives of hundreds of thousands of individuals" due to Mondelez's negligence, it adds.

"For the rest of their lives, Plaintiff and the Class Members will have to deal with the danger of identity thieves possessing and misusing their Private Information. Plaintiff and Class Members will have to spend time responding to the Breach and are at an immediate, imminent, and heightened risk of all manners of identity theft as a direct and proximate result of the Data Breach."

'Devastating Financial and Personal Losses'

With the information stolen in the data breach, identity thieves "can open financial accounts, apply for credit, file fraudulent tax returns, commit crimes, create false driver's licenses and other forms of identification and sell them to other criminals or undocumented immigrants, steal government benefits, give breach victims' names to police during arrests, and many other harmful forms of identity theft," the lawsuit states.

"These criminal activities have and will result in devastating financial and personal losses to Plaintiff and the Class Members."

The letter Mondelez sent to affected individuals said the company "determined that it finally had enough information to determine who was impacted and that affected individuals should be notified" on May 22, and then proceeded to "conduct a thorough review of impacted information to identify all affected current and former employees, which was just completed, and is now providing notification."

A Mondelez International spokesperson said in a statement that said: "We take the security of our employee data very seriously. We took appropriate steps once we were notified about this situation, and we are continuing to work with our partners to provide impacted employees with appropriate assistance, including free credit monitoring and dark web surveillance, as well as fraud consultation services and identity theft restoration support.

"It's important to note that this incident did not occur on or affect Mondelēz International systems or networks in any way."

Newsweek has reached out to an attorney for the plaintiff for further comment.

A spokesperson for Bryan Cave declined to comment. The law firm told The Register in an article published June 20 that it responded quickly to the data breach.

"Upon learning of the issue, we immediately took measures to contain the incident with the assistance of a leading forensics firm, coordinated with law enforcement and are communicating with our affected stakeholders. We remain able and focused on continuing to serve our clients as we resolve this matter."