Heavy truck and military vehicle manufacturer Navistar is facing a lawsuit over a data breach in May that may have exposed sensitive personal information of tens of thousands of current and former employees and health plan participants.
Lawyers representing Thomas Kalbrier, a former Navistar engineer, and Cherrie Kalbrier, a company health plan participant, filed a lawsuit in U.S. District Court for the Northern District of Illinois on Oct. 1 alleging that the company negligently stored personal information and failed to properly safeguard its network and systems. The suit seeks unspecified damages and class-action status for others affected by the breach.
“[Navistar] maintained the private information in a reckless manner,” states the complaint, filed by lawyers with Chicago law firm Mason Lietz and Klinger. “In particular, the private information was maintained on defendant Navistar’s computer network in a condition vulnerable to cyberattacks of this type.”
The lawsuit came after Navistar — owned by Volkswagen’s Traton Group — disclosed that 49,000 people had been affected by the breach in a notice to the U.S. Department of Health and Human Services on Sept. 24. Those affected are participants in the company’s employee health plan and retiree health and life insurance plan.
The information may have included Social Security numbers, in addition to names, addresses and birthdates, according to a security notice recently posted by Navistar to its website, which mirrors letters sent to those affected by the breach. The company said it was not aware of any third party using that data.
Navistar first disclosed what it characterized as a “cybersecurity incident” in an SEC filing on June 7. The company said in the filing that it first detected the incident on May 20 but disclosed in the security notice that it believes it occurred earlier.
Lawsuit alleges failure to properly monitor systems
The lawsuit characterizes the incident as a cyberattack and appears to challenge Navistar’s version of events. It alleges that the attack was only detected on May 31 — the date when the company said it first learned that data was stolen.
“Had [Navistar] properly monitored their property, they would have discovered the intrusion sooner,” the complaint states.
A cybercriminal group called Marketo, which operates a stolen data marketplace on the dark web — has claimed responsibility for the attack. In June, the group posted data it claimed it had stolen from Navistar, offering it as a sample as a larger archive for sale.
A representative of Marketo claimed to FreightWaves in July that the attack on Navistar had lasted over a month and that the hackers were able to reenter the company’s network several times. Marketo said it was not a ransomware attack.
Navistar says it ‘takes the security of its systems and data very seriously’
Navistar did not respond to FreightWaves’ request for comment about the lawsuit. But the company has told those affected by the breach that it “takes the security of its systems and data very seriously and regrets any concern this situation may have caused.”
“Navistar is committed to systems security and the protection of its corporate, customer, dealer, current and former employee, and plan participant information,” the company wrote. “The company has taken a number of steps to enhance its security protocols and controls, technology, and training, and continues to assess additional options to protect its IT systems.”
The company is offering those affected by the breach 24 months of credit and identity monitoring. However, the lawsuit says those measures are insufficient and that the Kalbriers face “substantial and present risk of fraud and identity theft.”
The Kalbriers’ lawyers did not respond to FreightWaves’ request for comment.