Cyber Incident Victim: Andy Frain Services Inc.
Date:
Oct 2024
Location:
United States of America
Summary
Andy Frain Services Inc. experienced a data breach that exposed personal information of former job applicants. The applicants filed a negligence lawsuit alleging the company failed to protect their data. Although the applicants had signed dispute resolution agreements requiring arbitration for employment-related disputes, a federal court determined that the negligence claims arising from the breach were not connected to their employment and therefore could not be compelled into arbitration. The court’s decision allowed the case to proceed in litigation rather than being sent to arbitration.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 0 motives | 0 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In October 2024, Andy Frain Services Inc. experienced a data breach that compromised personal information of individuals who had applied for jobs with the event‑security provider. Former applicants subsequently filed a negligence lawsuit against the company, alleging that the breach resulted from inadequate security measures. The plaintiffs pointed to the exposure of their personal data as the basis for their claims.

Prior to the litigation, many of the applicants had signed a Dispute Resolution Agreement with Andy Frain that required arbitration of any disputes arising from their employment. When the case was brought before the US District Court for the Northern District of Illinois, the company sought to enforce that arbitration clause and compel the plaintiffs to resolve the matter outside of court. Judge Elaine E. Bucklo examined the agreement and determined that the negligence claims stemming from the October 2024 breach were not related to the plaintiffs’ work with Andy Frain.
The judge noted that the arbitration provision’s broad language was “sandwiched” between other clauses that limited the scope of the arbitration pact, leading her to conclude that the agreement did not cover the data‑breach claims. Consequently, the court denied Andy Frain’s motion to compel arbitration, allowing the negligence lawsuit to proceed in federal court. The ruling meant that the case would continue to be litigated rather than being resolved through private arbitration. The decision was reported in a Bloomberg Law article published on July 6, 2026.
