Paradies Shops, an American retail chain with operations in airports in the United States and Canada, has agreed to pay compensation to settle a class action lawsuit over the data breach of 76,000 of its employees following a REvil attack in 2020.
In 2020, hackers accessed the company’s administrative system for five days and stole employees’ personal information: names, social security numbers, and other identifying information. The lawsuit was filed by a former employee who accused the company of being negligent about data protection and not informing victims too late — only 8 months after the attack.
The lawsuit alleged that Paradies concealed the specific causes and vulnerabilities that led to the incident. While the company denied any wrongdoing, it agreed to the settlement, stating that further legal investigation would have been “protracted and costly.”
Paradies Shops is one of the largest airport retailers in North America, with more than 1,000 stores. The attack, believed to be carried out by the notorious REvil hacking group, was part of a series of large-scale extortion schemes in 2020. Such class action lawsuits have become common practice in the US after data breaches. Just last week, Retina Group of Washington agreed to pay $3.6 million, and Lehigh Valley Health Network will pay a record $65 million in 2024 after a breach that leaked medical data and patient images.
This case illustrates a new reality: the losses after a breach are not only technical, but also legal. Companies that collect personal data must not only protect it, but also promptly and transparently inform victims. Otherwise, millions in compensation and lost trust.
87 
71 
82 