Airport retailer agrees to $6.9 million settlement over ransomware data breach

The airport retail company Paradies Shops is close to finalizing a $6.9 million settlement to resolve a class-action lawsuit on behalf of employees whose personal information was stolen in a ransomware attack in 2020. 

The settlement was preliminarily approved by a federal judge in Georgia this week and has been agreed to by the company and the plaintiffs. 

According to a complaint filed by a former employee, cybercriminals exfiltrated records that held personal information like names and Social Security numbers belonging to 76,000 current and former employees of Paradies Shops. As of 2021, the Atlanta-based company had more than 1,000 stores, bars and restaurants in airports throughout the U.S. and Canada. 

The attackers accessed the company’s administrative system over five days in October 2020. The REvil ransomware group reportedly claimed to be behind the incident. Paradies Shops sent out notifications to data breach victims eight months later, as well as notices to state attorneys general. 

The suit alleged that the company was negligent and careless in protecting the information it collected from employees, and that waiting to inform victims harmed them further. The company also “purposefully maintained secret the specific vulnerabilities and root causes of the breach.”

Paradies denied these claims and agreed to the settlement because it “concluded that further conduct of the Litigation would be protracted and expensive.”

Such class-action lawsuits are now standard following data breaches. Earlier this week, the eyecare company Retina Group of Washingtonagreed to a $3.6 million class-action settlement with victims of a data breach in 2023. Last fall, Lehigh Valley Health Network agreed to pay $65 million after a hacker accessed sensitive patient information, including naked photos of patients.