Varsity Brands is under fire again after a massive cyberattack compromised the personal information of more than 65,000 individuals, including over 10,000 Texans. An Indiana man, Dean Huntley, has filed a class-action lawsuit in Texas federal court, accusing Varsity of negligence and failure to safeguard sensitive data.
The breach, which occurred in May 2024, exposed a variety of private information, such as Social Security numbers, driver’s license details, financial data, and medical records, according to the Texas Attorney General. The lawsuit also claims that Varsity Brands failed to inform those affected within the required timeframe. Texas law typically mandates companies notify individuals within 30 to 45 days following a breach. However, Varsity Brands didn’t alert impacted customers until mid-October—nearly five months after the breach occurred.
The breach was first detected on May 24, just as Varsity was completing its $4.75 billion acquisition by private equity giant KKR. The timing has raised questions about whether the looming sale played a role in the company’s delayed response. According to Huntley’s lawsuit, Varsity waited 143 days to inform customers—far longer than what is typically allowed under state data breach laws.
The company’s description of the incident raises the possibility of a ransomware attack, though no ransomware group has publicly claimed responsibility. Alternatively, if Varsity Brands paid a ransom, it could explain the lack of acknowledgment from cybercriminals.
The lawsuit seeks $9,999,000 in damages, arguing that Varsity Brands failed to implement security measures that meet industry standards, as set by the Federal Trade Commission (FTC). Additionally, the lawsuit accuses Varsity of negligence, breach of implied contract, unjust enrichment, and breach of fiduciary duty.
“This data breach was preventable,” said Huntley’s attorney. “Mr. Huntley, on behalf of everyone whose personal information was exposed, is seeking accountability from Varsity Brands for its failure to utilize industry-standard data security measures.”
Read Moreon Cheer Daily
In a statement following the breach, Varsity Brands said it identified unusual activity within its systems on May 24, 2024. The company claims it took swift action by shutting down certain systems and hiring external cybersecurity experts to investigate the breach. Law enforcement was also notified.
“Upon detection, we promptly took steps to stop the activity and took certain systems offline,” Varsity Brands stated. “We also notified law enforcement and worked with external experts to investigate.”
In June, just a month after the breach, Varsity hired its first Chief Security Officer, Lisa Olivieri, to lead the company’s security efforts. Her role focuses on “managing Varsity Brands’ integrated security and safety efforts across the company,” according to a press release. Despite these efforts, the lawsuit alleges that the company failed to notify customers in a timely manner and that the harm caused by the breach—including the risk of identity theft and fraud—was avoidable.
This data breach lawsuit adds to Varsity Brands’ mounting legal issues. Even before KKR’s acquisition, Varsity had been entangled in multiple lawsuits. The company has faced allegations of illegal monopolistic behavior in the cheerleading industry and has been connected to numerous cases involving cheer coaches accused of sexual misconduct. While Varsity has consistently denied wrongdoing, it has paid millions to settle some of these claims, including antitrust lawsuits.
With the lawsuit seeking to hold Varsity accountable for the security lapse, the cheerleading giant finds itself in the midst of yet another legal battle. The stakes are high, especially as the company strives to maintain its dominant position in the cheer industry.
Stay ahead of the game with breaking news, competition updates, and everything happening in the world of cheer!
