HanesBrands offers to settle with employees HanesBrands offers settlement to employees affected by ransomware attack. Employees will have option of credit monitoring, $50 store credit or $35 cash payment

HanesBrands Inc., will give some current and former employees the option of credit and identity monitoring, up to a $50 Hanes store credit and $6.99 in shipping costs, or a cash payment of $35 in a proposed settlement of a federal lawsuit tied to a May 2022 ransomware attack.

Separate lawsuits were filed in February 2023 in California and North Carolina on behalf of 75,000 current and former employees.

Both lawsuits allege the ransomware attack exposed current and former employees to potential identity theft, and that the company didn't have adequate safety measures in effect.

The suits were combined in the Middle District of N.C. with Nicole Toussaint as the lead plaintiff.

Ransomware is a type of malicious software employed by hackers that can block access to a computer system until a ransom is paid. In recent years, the targets have shifted from individuals to governments, companies, nonprofits and health care systems.

The lawsuit's main allegation is that the ransomware attack contributed to a data breach of "certain highly sensitive personal and protected health information" that included name, address, date of birth, financial account information and government-issued identification numbers, and other health and employment accounts.

The complaint alleges the ransomware attackers "intentionally targeted" HanesBrands for employee information that could be sold for use on the "dark web."

According to the proposed settlement, which came out of mediation held in November, HanesBrands has agreed to pay up to $100,000 for all documented out-of-pocket expenses.

Those expenses can include certain internet and phone charges, and the cost of obtaining credit reports, credit monitoring and fraud resolution services.

HanesBrands also agreed to: implement data security measures; cover the cost of notifying affected current and former employees; administrative costs; service award payments for the lead plaintiffs if awarded by the court; and up to $475,000 in attorney fees and expenses.

"The settlement is a strong result for the settlement class, securing valuable benefits while eliminating the risks of continued litigation," according to the lawsuit.

HanesBrands could not be immediately reached for comment on the proposed settlement. When the federal lawsuits were filed, HanesBrands said it is "vigorously defending these matters and believe the cases are without merit."

HanesBrands said in a May 31, 2022, regulatory filing that it began experiencing the ransomware attack on May 24, 2022. It said it experienced at least a $100 million loss in global sales form the attack.

Toussaint said she wasn't notified of the data breach until Aug. 16. She lives in Maine and was employed as an assistant manager by HanesBrands from 2012 through 2018.

HanesBrands did not say at that time whether the attack affected only internal operations, or whether the information held hostage affected employees and customers.

HanesBrands said the ransomware attack affected its global supply chain network and ability to fulfill customer orders for about three weeks.

The manufacturer said at the time it had notified law enforcement and was cooperating with the investigation in addition to engaging attorneys, a cybersecurity forensic firm and other professionals to deal with the response.

HanesBrands said it "took extraordinary and immediate action to re-secure the implicated data set." That included disclosing that it reached a payment agreement of an undisclosed amount to the ransomware attacker.

In exchange, the attacker agreed to not disseminate the information and to delete the information from its systems with confirmation provided. HanesBrands said it was provided evidence on June 3, 2022, that those actions had occurred.

In November, the manufacturer disclosed it received at least $20.5 million in insurance compensation in 2023 for the attack.

[email protected]@rcraverWSJ