A complaint filed in the U.S. District Court for the Middle District of Pennsylvania is seeking class action status for litigation against Paytime Inc. in connection with a recent data breach.
The suit lists three plaintiffs — Holly P. White of Lancaster, Doris McMichael of New Cumberland and Daniel B. Storm of Lexington, Ky. — but does not identify their current and past employers who use the payroll-processing services of Upper Allen Township-based Paytime.
"Nationally, over 233,000 individuals have had their personal and financial information misappropriated as a result of the breach of Paytime’s computer network," the complaint says.
It alleges that Paytime "violated federal guidelines and failed to meet current data security industry standards by failing to ensure adequate security over Plaintiffs’ and the proposed Class members’ personal and financial information and by failing to retain Plaintiffs’ and the proposed Class members’ personal and financial information in a secure and safe manner."
The complaint seeks unspecified monetary damages and injunctive relief including provision of credit monitoring, bank monitoring, credit restoration and identity theft insurance services for at least 25 years.
Paytime said it discovered a compromise of user names and passwords related to its client service center on April 30 and began investigating immediately. So far, its crew, along with third-party IT forensic experts and law enforcement, have determined that the intruders — "skilled hackers working from foreign IP addresses" — first gained access to Paytime’s systems April 7.
The scope of the breach included the following, according to a letter Paytime sent clients: “Names, Social Security Numbers, direct deposit bank account information (if provided), dates of birth, hire dates, wage information, home and cell phone numbers, other payroll related information and home addresses were accessed by the intruders. There is also a possibility that information related to corporate bank accounts associated with your payroll was accessed."
Paytime said it has since run multiple tests to confirm security and implemented new monitoring and intrusion detection systems. The company said it will give clients' employees access to one free year of credit monitoring, call center support and identity restoration services in the event any employee discovers fraudulent activity.
Asked about the lawsuit, Paytime issued the following statement:
"As Central Pennsylvania communities are aware, Paytime has been taking, and continues to take the matter of the data security incident very seriously. We are working with internal and third party investigators, the Secret Service, incident response vendors, our business partners, our staff, our clients, their employees and the community to address the concerns and issues that may exist. Now that a complaint has been filed, we must respect the judicial process. There is a formal process we must follow to address the allegations and accusations in the complaint. At this time we are not free to discuss this further. We are confident our good faith efforts to preserve the security and confidentiality of information in our control will prevail in this matter."