PCS Revenue Control Systems, Inc. (PCS) was hit with a proposed class action lawsuit last week alleging that it discovered a data breach from a hacking attack in December 2019 but failed to notify the affected students until March of 2021.

According to the lawsuit, student information was collected by PCS’s predecessor, Advanced Business Technologies (ABT), which provided food, nutrition, and technology services for K-12 schools. The information alleged to have been collected by ABT and in the possession of PCS after the acquisition included the names, dates of birth, Social Security numbers, and student identification numbers of 867,209 students who attended K-12 schools in Alabama, Florida, Georgia, and Texas. It is unclear why a nutrition vendor needs Social Security numbers of students to provide services.

Although the incident was allegedly discovered in December 2019, PCS sent notification letters to affected students and parents only in March 2021, offering one year of free credit monitoring.

Canon U.S.A. Inc. (Canon) was hit with a class action lawsuit in the U.S. District Court for the Eastern District of New York this week for the ransomware attack that exposed current and former employees’ personal information in November 2020. The plaintiffs reside in Ohio, New York, Florida and Illinois, and allege that Canon was negligent in protecting employee data and violated state trade practice laws by failing to guard against such an attack. The plaintiffs further allege that Canon failed to notify the affected individuals in a timely manner.

The attack on Cannon occurred in August 2020 and affected current and former employees from 2005 to 2020, as well as their beneficiaries and dependents. The information affected included Social Security numbers, driver’s license numbers, financial account numbers, electronic signatures, and dates of birth. The plaintiffs are seeking certification of a nationwide class.

The GEO Group, Inc. (GEO), a publicly held company located in Boca Raton Florida, announced on November 3, 2020, that it is beginning to notify individuals following a ransomware attack that “impacted a limited amount of personally identifiable information and protected health information for some inmates and residents contained on certain servers for a small number of facilities including the South Bay Correctional and Rehabilitation Facility in Florida, a youth facility in Marienville Pennsylvania, and a now close facility in California. The incident also impacted two corporate servers with employee data.”

According to the statement on its website, the GEO Group is “not aware of any fraud or misuse of information as result of this incident.”

The ransomware attack was discovered by GEO on August 19, 2020. It thereafter launched an investigation with cybersecurity firms and law enforcement. According to the website notice, “the company recovered its critical operating data and, based on its assessment and on the information currently known and obtained through the investigation, the Company does not believe the incident will have a material impact on its business, operations or financial results.”

GEO is a publicly traded organization that “is a fully integrated equity real estate investment trust specializing in the design, financing, development and operation of secure facilities, processing centers, and community reentry centers in the United States, Australia, South Africa, and the United Kingdom. GEO is a leading provider of enhanced in-custody rehabilitation, post-release support, electronic monitoring, and community-based programs.” It owns or manages 123 facilities totaling approximately 93,000 beds and employing approximately 23,000 professionals. Its website states that its “diversified services platform provides unique capabilities for the delivery of educational and vocational programs, cognitive behavioral and substance abuse treatment, and faith based services across the entire corrections spectrum.”

Based upon the statement, it appears that GEO is notifying affected inmates, residents and employees of the incident.