Sensitive personal information including names and Social Security numbers was allegedly exposed after a data breach at a major real estate investment and property services firm, raising concerns about privacy risks for potentially thousands of individuals. The complaint, filed by Harry Watts on April 6, 2026 in the United States District Court for the District of New Jersey against Onyx Equities, LLC, outlines claims that the company failed to adequately safeguard private information entrusted to it by clients and business contacts.
According to the filing, Onyx Equities discovered suspicious activity within its network on November 25, 2025. An investigation determined that an unauthorized actor had accessed files containing personally identifiable information (PII) such as names and Social Security numbers. The review of the incident concluded on March 19, 2026, with individualized notice letters sent to affected parties beginning around March 31, 2026.
The lawsuit alleges that the notorious ransomware group known as “CLOP” was responsible for the attack. Citing an alert from the Cybersecurity and Infrastructure Security Agency (CISA), the complaint describes CLOP as one of the largest distributors of phishing campaigns worldwide and notes their use of tactics such as stealing and encrypting victim data while threatening to publish exfiltrated information online.
Plaintiff Harry Watts claims that Onyx Equities failed to take reasonable precautions designed to keep individuals’ private information secure. The complaint states: “Defendant owed Plaintiff and Class Members a duty to take all reasonable and necessary measures to keep the Private Information collected safe and secure from unauthorized access.” It further asserts that Onyx Equities breached this duty by not implementing or maintaining adequate security practices despite being aware of industry standards and federal guidelines regarding data protection.
The legal filing highlights several issues with how Onyx Equities handled both its cybersecurity practices and its response to the breach. Among these are allegations that the company provided little detail about how the breach occurred or whether it had been contained; did not specify when or for how long unauthorized access took place; delayed notifying victims for four months after discovering suspicious activity; and failed to offer sufficient support mechanisms for those whose data was compromised.
Additionally, the plaintiff argues that this delay violated New Jersey’s data breach notification statute (N.J. Rev. Stat. § 56:8-16(12)(a)), which requires disclosure “in the most expedient time possible and without unreasonable delay.” The complaint also notes that Onyx Equities offered complimentary credit monitoring services only after acknowledging ongoing risks associated with identity theft stemming from the incident.
The lawsuit contends that those affected by the breach have suffered injuries including financial losses due to misuse of their private information, diminished value of their PII, lost time spent monitoring accounts or preventing identity theft, emotional distress, invasion of privacy, loss of control over personal data, and ongoing risk as long as their information remains in Onyx Equities’ possession without improved safeguards.
Harry Watts brings this action individually and on behalf of a proposed nationwide class against Onyx Equities for alleged negligence; negligence per se; unjust enrichment; breach of implied contract; and breach of fiduciary duty. The suit seeks remedies including damages for monetary losses suffered by class members; compensation for lost time spent mitigating harm; reimbursement for costs related to credit monitoring or account security measures; injunctive relief requiring stronger cybersecurity practices at Onyx Equities; lifetime credit monitoring services; statutory damages where applicable under state law; attorneys’ fees; costs; pre-judgment interest; post-judgment interest; any other relief deemed appropriate by the court.
The complaint details industry best practices cited by federal agencies such as the Federal Trade Commission (FTC), emphasizing encryption standards, timely notifications in case of breaches, regular risk assessments, employee training on cybersecurity threats, limiting retention periods for sensitive data, multi-factor authentication protocols, firewalls, anti-malware software deployment, regular monitoring for suspicious activity on networks—and alleges that Onyx Equities failed in multiple respects relative to these benchmarks.
As outlined in court documents prepared by attorney Leanna A. Loginov (NJ Bar #389742022) from Shamis & Gentile P.A., Miami FL—representing Harry Watts—the case is identified as Case No. 2:26-cv-03633 before the United States District Court for the District of New Jersey.
Source: 226cv03633_Watts_v_Onyx_Equities_LLC_Complaint_District_New_Jersey.pdf
