Ermenegildo Zegna, based in Milan, Italy, announced a data breach stemming from a ransomware attack. While details about the Zegna breach are still forthcoming, the company confirmed that the attack affected the majority of its IT system and may result in the personal information of customers, employees and other parties being compromised. On April 11, 2022, the company filed official notice of the data breach with the Securities and Exchange Commission.

If you received a data breach notification, it is essential you understand what is at risk and what you can do about it. More about what you can do if your data was stolen is available in our prior blog post, "A Guide For Victims of a Data Breach”.

The Link Between Data Breaches and Identity Theft

Technological advancements over the past few decades have allowed for more information to be stored electronically. While this makes it easier for businesses and other organizations to maintain consumer data, it also exposes this information to the risk of a data breach. In fact, according to recent estimates, as many as 15 million people fall victim to identity theft every year. Many cases of identity theft arise as a result of data breaches, such as the one recently announced by Zegna.

Identity theft occurs when a criminal actor uses another’s information to assume their identity. There are several reasons why someone may attempt to steal another’s identity. Most often, criminals engage in identity theft for their own financial gain, for example, by opening up a bank account or credit card in a victim’s name. On average, victims of identity theft spend more than $1,300 and about 200 recovering their identity. However, in some cases, the harms are much worse. For example, in cases of criminal identity theft, a criminal provides a victim’s information to the police if they get arrested, possibly leading to a warrant for the victim’s arrest and even a criminal record. In other cases, criminals use consumers’ protected health information against them by threatening to release the information unless the victim pays a “ransom.”

By investigating the Zegna data breach, Console & Associates, P.C. hopes to help victims understand the possible risks of identity theft and learn how they may be able to obtain compensation for everything they’ve gone through and may need to go through in the future.

About Ermenegildo Zegna

Ermenegildo Zegna is a fashion designer and clothing manufacturer based in Milan, Italy. The company was founded in 1910 by Ermenegildo Zegna and is still owned and operated by the Zegna family. The company employs more than 7,000 people and generates annual revenue of approximately $1 billion. Ermenegildo Zegna is publicly traded on the New York Stock Exchange under the ticker symbol “ZGN.”

Data Breaches Are Becoming a National Crisis

The concept of a data breach is not new; however, given changes in how cybercriminals are carrying out their attacks, the risks to consumers are greater than ever before. For example, between the years 2020 and 2021, the number of data breaches increased by 68%. However, the total number of data breach victims over this same period actually decreased by about five percent. Unfortunately, this isn’t necessarily good news. According to the Identity Theft Resource Center, the reduction in the number of victims is a function of cybercriminals focusing their efforts on obtaining more on stealing specific types of data, such as bank account information, Social Security numbers, and protected health information. Not surprisingly, data breaches involving this information present a much greater risk to consumers. Still, there are more than 188 million data breach victims per year.

Data breaches occur in several ways. For example, the installation of malware programs, ransomware attacks, and phishing scams are all common. In each of these, a hacker targets an organization, usually with knowledge or suspicion of vulnerabilities in the company’s data security system. Once the hacker accesses an organization’s computer network, they can access and steal any consumer data located on the affected network.

Organizations such as businesses, non-profits, educational institutions and healthcare providers all have an essential role in preventing data breaches. When an organization stores consumer data, it assumes a duty to protect that information. In reality, an organization’s data security system is the front line of defense against a cyberattack. Thus, it is imperative that organizations understand their data security responsibilities and that they take them seriously. Unfortunately, many organizations have been slow to adopt the latest data security measures, despite raking in millions of dollars in profit each year. Data breach class action lawsuits hold organizations accountable for their lax data security measures, allowing consumers to send the message that their privacy is important.

What to Do After a Data Breach

Any company or organization that experiences a data breach must provide notice of the breach to affected individuals. These data breach notices provide crucial information and should not be ignored. If you received a data breach letter from Zegna, it is important you take the following steps to protect yourself.

1. Carefully Review the Letter to Confirm What Information Was Compromised: After receiving a data breach notification, the first thing to do is to carefully read the letter to determine what information was involved. While this list provides some basic advice on what to do following a data breach, there are additional steps to take depending on the type of information that was leaked. Also, keep a copy of the data breach letter for your records.

2. Stop All Future Access to Your Accounts: Regardless of the nature of the data breach or what data of yours was compromised, it is important that you change all passwords and security questions for your online accounts, especially your online banking login information. For those accounts that allow you to set up multi-factor authentication, it’s a good idea to do so, as this makes it much harder for an unauthorized party to access your accounts.

3. Protect Your Credit: More than 70% of data breaches involve compromised Social Security numbers or bank account information. This is by design, as cybercriminals can relatively easily use this information for their own financial gain. Thus, it is essential to take the necessary steps to prevent unauthorized access to your credit. After announcing a data breach, organizations usually offer free credit monitoring for a certain period of time. Importantly, you don’t give up any rights by signing up for free credit monitoring, so there is no reason not to do so.

4. Think About Placing a Credit Freeze: A credit freeze is an alert on your credit file placed by one of the three major credit bureaus (TransUnion, Equifax and Experian). When the credit bureau puts a credit freeze on your account, it prevents anyone from accessing your credit unless you give them permission to do so. Credit freezes remain active until you remove them; however, you can temporarily lift a freeze, for example, if you need to apply for a loan. According to the Identity Theft Resource Center, placing a credit freeze is the “single most effective way to prevent a new credit/financial account from being opened.” However, ITRC reports that just 3% of consumers whose information is leaked place a freeze on their accounts.

5. Closely Monitor Your Credit Report and Bank Accounts: For data breach victims, the unfortunate reality is that addressing the situation is an ongoing effort. Protecting yourself from the ongoing threat of identity theft is something you need to stay on top of. After receiving a data breach notification, regularly check your bank accounts and credit card accounts for any signs of unfamiliar transactions. You should also regularly check your credit report. By doing so, you will be able to tell whenever a company runs a credit check.

6. Contact a Data Breach Lawyer as Soon as Possible: If your information was exposed through a data breach, it is important you don’t wait to speak with a lawyer. Under the United States data breach laws, the company responsible for keeping your information safe may be financially responsible for your damages. These damages are intended to compensate you for the money and time dedicated to recovering your identity. However, these cases aren’t just about the money. Data breach class action lawsuits are also important tools consumers can use to convince large companies to take data security more seriously. Over time, organizations will learn that they either need to implement more comprehensive data security measures or face the threat of financial liability.

The relevant portion of the Zegna SEC filing is included below:

[I]n August 2021 we were subject to a ransomware attack that impacted the majority of our IT systems. As we refused to engage in discussions relating to the payment of the ransom, the responsible parties published certain accounting materials extracted from our IT systems. We publicly announced the IT systems breach and gradually restored our IT systems from secure back up servers during the weeks following the breach. Although our systems are diversified, including multiple server locations, third party cloud providers and a range of software applications for different regions and functions, and we periodically assess and implement actions to ameliorate risks to our systems, a significant or large scale malfunction or interruption of our systems could adversely affect our ability to manage and keep our operations running efficiently, and damage our reputation if we are unable to track transactions and deliver products to our customers. A malfunction that results in a wider or sustained disruption to our business could have a material adverse effect on our business, results of operations and financial condition. In addition to supporting our operations, we use our systems to collect and store confidential and sensitive data, including information about our business, our customers and our employees. Any unauthorized access to our information systems may compromise the privacy of such data and expose us to claims as well as reputational damage. Ultimately, any significant violation of the integrity of our data security could have a material adverse effect on our business, results of operations and financial condition. See “—We are exposed to the risk that personal information of our customers, employees and other parties collected in the course of our operations may be damaged, lost, stolen, divulged or processed for unauthorized purposes.” Our recently acquired businesses may use different information technology and data processing systems than those used at a broader group level, which could make it more complex to prevent or timely address any of the foregoing events.