Airport Retailer Faces $6.9M Lawsuit Settlement Following Ransomware Attack

A leading airport retail company is nearing a $6.9 million settlement to resolve a class-action lawsuit brought by employees whose personal data was compromised in a ransomware attack in 2020, The Record reports.

Class-action suits have become common after ransomware attacks that include data compromise and exfiltration. Recently, a major eyecare company in Washington agreed to a $3.6 million class-action settlement with victims of a data breach in 2023.  

Also, a major regional healthcare network recently agreed to pay $65 million after attackers accessed sensitive patient information, including naked photos of patients.

The lawsuit against the airport retailers was filed by a former employee who claimed that hackers stole records containing sensitive personal details—including names and Social Security numbers—belonging to approximately 76,000 current and former employees.  

The breach occurred over a five-day period in October 2020, during which the attackers infiltrated the company’s administrative systems. At the time, the retailer operated more than 1,000 retail stores, restaurants, and bars in airports across the U.S. and Canada.

The REvil ransomware group was reportedly behind the attack. The retailer waited eight months before notifying affected individuals and state attorneys general of the breach.

The suit accused the company of failing to adequately protect employee information and criticized the delay in notifying victims. It also claimed that the retailer deliberately withheld details about the vulnerabilities and root causes of the incident.

While denying any wrongdoing, the company agreed to the settlement, citing the high costs and drawn-out nature of continuing the litigation.  

Takeaway: Most ransomware attacks today don’t stop at encryption—they double down with data theft for extortion. That means if your organization collects and stores PII or other regulated data, you’re not just facing operational downtime—you’re staring down potential class-action lawsuits, regulatory investigations, and massive legal costs.

In breach fallout like this, hindsight is brutal. Every detail of your security program gets picked apart. Was there an unpatched vulnerability? A misconfigured system? Even minor gaps become smoking guns in the courtroom. What might’ve seemed like a small oversight in a sprawling environment suddenly becomes a multimillion-dollar liability.

Security pros know that if an attacker has enough time and resources, they will get in. That’s not defeatist—it’s just reality. But for companies handling sensitive data, that inevitability comes with serious consequences. Regulatory bodies and plaintiff attorneys aren’t interested in nuance—they want accountability.

We’re now in an era where victim organizations aren’t just recovering from ransomware attacks, they’re being judged, fined, and sued for them, and that pressure isn’t easing up.  

So, while building strong defenses and resilience are critical, it’s just as important to understand what kind of risk you’re sitting on—and how exposed you are when the worst-case scenario becomes real.

Halcyon.ai eliminates the business impact of ransomware. Modern enterprises rely on Halcyon to prevent ransomware attacks, eradicating cybercriminals’ ability to encrypt systems, steal data, and extort companies – talk to a Halcyon expert today to find out more, and check out our quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.