The Metropolitan Opera failed to properly safeguard the credit card numbers and other personal information of more than 45,000 patrons and employees compromised in a massive computer hack during 2022, says a class action lawsuit filed in Manhattan Supreme Court.
Former Met employee Anthony Viti, the lead plaintiff in a class action lawsuit filed last week, claims that his Social Security number, his driver’s license number, his date of birth and financial account information were all accessed by hackers.
“For approximately two months, The Met failed to detect an intruder with access to and possession of The Met’s current/former employees and consumers’ data,” the suit said. “It took a complete shutdown of The Met’s website and box office for The Met to finally detect the presence of the intruder.”
The hack crippled the cultural institution’s computer system for more than a week, the lawsuit said.
It alleges that The Met failed to install the proper security measures despite numerous government warnings that it could be a target for cyberattacks.
Letters submitted to the Maine and Vermont attorneys general by the opera company’s lawyer said that hackers its computer system at least twice last year.
“Through an investigation conducted by third-party specialists, the Met learned that an unknown actor gained access to certain of their systems between September 30, 2022 and December 6, 2022 and accessed or took certain information from those systems,” Stephanie Basta, the opera’s lawyer, wrote in a letter submitted to the Maine Attorney General on May 3.
She said that information for 45,094 patrons and workers and former employees was compromised.
In a Dec. 7, 2022 article cited in the lawsuit, The New York Times reported that hackers infiltrated the servers of the Lincoln Center venue, shutting down ticket sales for nine days.
“This attack froze everything,” Met general manager Peter Gelb told the newspaper at the time.
Gelb said at the time that the infiltration had disrupted the electronic payment system for the institution’s 3,000 workers.
“The teachable moment of this attack is that if someone wants to break into your system, it is hard to stop them,” the general manager said.
But the lawsuit notes that Basta reported to Maine authorities that the breach was discovered on Feb. 21, 2023 — despite it being reported in the Times months earlier.
The Met — the largest performing arts organization in the country — offered victims of the attack a year of credit monitoring service.
That’s not enough, according to the lawsuit, which claims the effects of such a hack could plague its victims for decades to come.
“The Met’s response to the data breach has been woefully insufficient,” the lawsuit charges.
The Met house declined to respond to the claims in the suit, but said “We strongly believe this case has no merit.”