Canon USA Settles with Employees Affected by 2020 Ransomware Attack


Canon USA has agreed to settle claims regarding the data breach it suffered in August of 2020 and will pay affected employees cash for compromising their personal data.

Canon USA has agreed to pay employees that were affected by the data breach up to $7,500 for monetary losses and $300 for out-of-pocket expenses in a deal that has been filed in federal court, Bloomberg Law reports. Nine named plaintiffs had filed a class-action lawsuit against the camera company for what they describe as failing to encrypt their personal information or take any other “adequate” measure to protect it. They also claimed Canon did not provide notice of the breach to affected employees fast enough.

Canon was hit by a ransomware attack in August of 2020. A group called Maze claimed responsibility for the attack and was able to glean a wide range of internal information including email, team collaboration software, the entirety of the Canon USA website data, and other internal applications. Maze claimed it had stolen a total of 10 terabytes of data from the attack.

For a time after the attack, all of Canon USA’s websites were down and returned an Internal Server Error.

It wasn’t until the following November that Canon publicly confirmed that a large amount of information had been stolen from its network and gave notice that the server that housed a “significant amount” of its employees’ personal information, including their Social Security numbers, driver’s license numbers, or other government-issued identifications. The company also admitted that the attackers managed to take financial account numbers Canon used for direct deposit for employees as well as any e-signatures and dates of birth.

The amount of time that the theft covered was extensive and took data from any employee that had been working at Canon starting in 2005 through the attack in 2020. It was never made clear if Canon ever paid the ransom.

Last year, General Electric settled a class action lawsuit with its own employees over a data breach at Canon Business Process Services. While it’s not clear if this is the same incident, the data that was stolen appears to be of a similar nature.

“One thing is clear: the Data Breach could have been avoided through basic security measures, including multifactor authentication and user security training,” that lawsuit contended, which is similar to the language used by the Canon class-action lawsuit.

Resolving this lawsuit the way that it did does not require Canon to admit to any wrongdoing.

When asked how many employees were affected and if it paid the ransom, Canon declined to comment.

Image credits: Header photo licensed via Depositphotos.