In a dramatic turn of events, a class action lawsuit has been filed against a software company for allegedly failing to protect sensitive personal information. On March 19, 2025, Cassandra Munoz filed the complaint in the United States District Court for the Northern District of Illinois against Cleo Communications, Inc., following a significant data breach that exposed personal information of students from Chicago Public Schools.
The lawsuit claims that Cleo Communications, a software platform that assists businesses with supply chain integration and other services, failed to secure personally identifiable information (PII) stored on its systems. This negligence allegedly led to a cyberattack by the Russia-linked ransomware group Cl0p in late 2024. The attack targeted Cleo's server containing data from Chicago Public Schools, compromising names, dates of birth, gender, student ID numbers, and Medicaid details. Despite learning about the breach on February 8, 2025, affected individuals were not notified until March 7, 2025. Munoz accuses Cleo of violating federal and state statutes by neglecting their duty to safeguard PII and failing to implement adequate security measures.
Munoz seeks damages for herself and all similarly affected individuals nationwide whose PII was compromised due to Cleo's alleged negligence. The complaint outlines several causes of action including negligence, negligence per se, and breach of implied contract. It demands compensatory damages for financial losses resulting from identity theft risks and loss of privacy control. Additionally, it calls for statutory damages or penalties where applicable and requests an order mandating improved data security practices at Cleo Communications.
Represented by attorneys Gary M. Klinger from Milberg Coleman Bryson Phillips Grossman PLLC and Courtney E. Maccarone along with Mark S. Reich from Levi & Korsinsky LLP (pro hac vice forthcoming), Munoz seeks justice not only for past harms but also aims to prevent future breaches by holding Cleo accountable for its alleged lapses in digital security protocols.