In the wake of a ransomware attack in 2020, Paradies Shops, an airport retail company with over 1,000 locations across the U.S. and Canada, is preparing to pay $6.9 million to settle a class-action lawsuit filed by affected employees. The settlement, recently preliminarily approved by a federal judge in Georgia, addresses claims that the company failed to adequately protect employee data and improperly delayed breach notifications.

The incident in question involved the exfiltration of highly sensitive personal information, including names and Social Security numbers, belonging to roughly 76,000 current and former employees. The attackers, allegedly associated with the REvil ransomware group, infiltrated Paradies’ administrative systems over a five-day span in October 2020.

Victims were not notified until eight months later, a delay that became central to the lawsuit’s allegations of negligence.

Why It Matters: This case illustrates the evolving legal and financial risks companies face in the wake of ransomware attacks. Simply being a victim of cybercrime no longer shields organizations from legal scrutiny, especially when delays in notification or vague disclosures about security lapses follow. As class-action lawsuits become more common, particularly when personal data is involved, companies are now expected to uphold higher standards of transparency, incident response, and preventive cybersecurity practices..

• Incident Overview: The ransomware breach occurred in October 2020 and lasted five days. During that time, attackers gained access to Paradies Shops’ administrative systems and stole sensitive data. The breach affected both current and former employees, totaling around 76,000 individuals. The REvil ransomware group, notorious for high-profile attacks and data exfiltration tactics, was linked to the incident.

• Delayed Response Draws Criticism: One of the most contentious aspects of the case was the delay in notifying affected individuals. Paradies took eight months to issue breach notifications and contact relevant regulatory agencies. Plaintiffs argued this delay left victims more vulnerable to identity theft and fraud, and amounted to a failure in basic breach response protocols.

• Legal Allegations and Company’s Position:The lawsuit, filed by a former employee, claimed that Paradies was negligent in protecting the personal data it collected. It further alleged the company deliberately withheld details about the vulnerabilities exploited in the attack and failed to provide adequate disclosure to victims and authorities. Paradies denied all wrongdoing but agreed to settle in order to avoid prolonged litigation costs and uncertainties.

• Broader Legal Context: This case is part of a growing trend: companies are increasingly facing class-action lawsuits in the aftermath of ransomware incidents. Just this week, the Retina Group of Washington reached a $3.6 million settlement over a 2023 breach. In 2024, Lehigh Valley Health Network agreed to pay $65 million after hackers accessed highly sensitive patient records. These cases reflect a shift from operational damage to legal and reputational consequences that can persist for years.

• Implications for Data Security Strategy: The Paradies case emphasizes the importance of proactive cybersecurity, timely incident disclosure, and transparency with affected parties. As regulators and courts focus more on how breaches are handled, rather than just how they happen, companies must reassess breach preparedness plans, internal policies, and communication protocols. In the age of data-driven litigation, the cost of silence can be just as high as the breach itself.

Go Deeper -> Airport retailer agrees to $6.9 million settlement over ransomware data breach – The Record

Airport Retailer Faces $6.9M Lawsuit Settlement Following Ransomware Attack – Halcyon