Food Stamp Recipients’ Personally Identifiable Information (PII) Stolen From Private Equity Firm

A cyberattack and data breach at a Rhode Island private equity firm, Nautic, is the basis of a recent federal lawsuit filed in U.S. District Court, Providence, Rhode Island. 

Wall Street private equity firm Blackstone, with assets of $881 billion under management, acquired a major stake in Nautic in 2021.

How data belonging to food stamp recipients ended up in a private equity firm’s database is at the center of the case.

The plaintiff says that she received a letter on January 12, 2024 from Nautic Partners, LLC, stating that the company discovered unauthorized access to its network between February 23 and April 5, 2023.

The letter states: “Based on our comprehensive investigation and manual review of files that were potentially accessed or removed from our network, which concluded on December 29, 2023, we discovered that your full name and the following were contained in the aforementioned files: Social Security number.”

The suit is potentially a class action. Claims of individual members exceed $5 million not counting interest and costs, according to the complaint. 

A middle market private equity firm, Nautic Partners says on its website that it focuses on “three specialties while supporting the long-term value creation of our portfolio companies.” The sectors are “healthcare, services, and industrials.”

The healthcare and services components may explain why the plaintiff’s social security number was in the database. She was not familiar with Nautic before receiving the notice letter. According to her complaint, the problems she has experienced due to the breach involve her Electronic Benefits Card.

They include an increase in spam calls, texts, and/or emails, and multiple fraudulent charges, including $400 in charges to her food stamp benefit.

Nautic Partners is being sued on two counts – negligence and unjust enrichment. 

“The Data Breach was a direct result of Defendant’s failure to implement adequate and reasonable cyber-security procedures and protocols necessary to protect consumers’ PII from a foreseeable and preventable cyber-attack,” according to the complaint.