The Computer Merchant Settles $610K Data Breach Class Action The Computer Merchant Ltd. (TCM) has agreed to a $610,000 settlement to resolve a class action lawsuit stemming from a July 2024 cyberattack that potentially exposed the personal data of approximately 34,127 current and former employees and job applicants in the U.S. The breach, allegedly resulting from insufficient security measures, led to unauthorized access to sensitive information. Eligible class members those notified of the breach can submit claims for compensation by June 24, 2026. Payment options include: - Up to $3,000 for documented identity theft or fraud-related losses (incurred between July 1, 2024, and June 24, 2026). - Up to $500 for out-of-pocket expenses, such as credit monitoring fees or ID replacement costs. - $40 (estimated) for a one-time cash payment if no losses are claimed. - Up to $100 for lost time spent addressing the breach ($20/hour for up to five hours). - An additional $75 (estimated) for California residents under the CCPA. All class members will receive a one-year enrollment code for CyEx Financial Shield Complete, which includes $1 million in fraud insurance and identity theft monitoring, regardless of claim submission. The $610,000 settlement fund covers administrative costs, $152,500 in attorneys’ fees, $5,000 in service awards for class representatives, and payments to approved claimants. TCM will separately fund the CyEx services. The final approval hearing is scheduled for July 9, 2026, with payouts issued afterward. TCM denies wrongdoing but settled to avoid prolonged litigation. The lawsuit alleged the company failed to implement adequate security protections, leading to the breach. Claims can be filed online or via mail, with supporting documentation required for certain categories.

The Computer Merchant, an IT staffing firm, suffered a ransomware attack in July 2024 attributed to the Play ransomware gang, which exfiltrated sensitive data. The breach compromised 34,127 individuals' names and Social Security numbers, along with client documents, payroll, accounting records, budgets, and contracts—though the company initially denied data theft until January 2025, when stolen data was publicly leaked. The delay in notification (over a year for some victims) exacerbated risks, prompting the firm to offer free credit monitoring and a $1M insurance policy to affected parties. Play’s double-extortion model (demanding ransom for decryption and to prevent data leaks) aligns with its history of targeting sectors like healthcare, finance, and manufacturing. The attack’s scale—part of Play’s 163 confirmed breaches (1.4M+ records compromised)—highlights systemic vulnerabilities in staffing firms, with operational disruption, reputational harm, and long-term fraud risks for victims. The company’s late detection and response further intensified the fallout, underscoring gaps in cybersecurity resilience.