Metropolitan Opera Data Breach Becomes a Class Action Lawsuit

New York City’s Met Opera is being sued following a cyberattack that compromised the personal information of over 45,000 employees and patrons

The largest performing arts organization in the U.S., New York City’s Metropolitan Opera, is now facing a class action lawsuit after a cybersecurity attack caused a data breach of 45,094 individuals on December 6, 2022. Its first major cyberattack in its 139-year history, exposed data from the breach included Social Security numbers, driver’s license numbers, financial account information, payment card information, and tax identification numbers. 

A class action suit was filed in the Manhattan Supreme Court and is being led by a former employee Anthony Viti, who is also the lawsuit’s chief plaintiff. 

The breach was first reported by The New York Times, which explained that the Met Opera’s website and box office froze the Met’s computer system for nine days in December, while the FBI was notified.

“As it turns out, the cybercriminals not only disrupted The Met’s website and box office but also entailed the Data Breach, an exfiltration of sensitive data,” reads the lawsuit, obtained by UPI news. 

“The Met failed to detect an intruder with access to and possession of The Met's current/former employees’ and consumers’ data,” it continued. “It took a complete shutdown of The Met’s website and box office for The Met to finally detect the presence of the intruder.”

Following the breach, the Met ordered a third-party forensic investigation which discovered that cybercriminals had stolen personally identifiable information over several months. 

“Through an investigation conducted by third-party specialists, the Met learned that an unknown actor gained access to certain of their systems between September 30, 2022 and December 6, 2022 and accessed or took certain information from those systems,” wrote the Met’s lawyer, Stephanie Basta, in letters submitted to the Maine Attorney General last month.

The letters also revealed that the Met’s computer systems had been hacked at least twice in 2022, according to NY Daily News.

The lawsuit states that the Met’s “woefully insufficient” response to the data breach also included not informing the affected parties until May 3, 2023 — nearly five months after the breach.

Additionally, the lawsuit notes that Basta’s letters detailed that the breach was discovered on February 21, 2023 — despite it being reported in the NY Times months earlier.

To compensate victims of the cyberattack, the Met is currently offering 12 months of identity and credit monitoring services, despite fears from patrons that such attacks could cause “ripples for many years, if not decades,” according to the lawsuit.

Further, it is alleged that the Met had not installed security measures that could have prevented the breach, and did not heed government warnings that it could fall prey to a cyberattack target.

The Met has declined to respond to the lawsuit’s claims, stating that they “strongly believe this case has no merit.”

“We take this incident and the security of information in our care seriously,” the Met wrote in the letter to affected parties. “Upon becoming aware of this incident, we immediately took steps to confirm the security of our environment. We are also reviewing existing security policies and have implemented additional measures to further help protect against similar incidents moving forward.”