Accellion has proposed an $8.1 million settlement to resolve a class action data breach lawsuit related to the December 2020 cyberattack on its legacy File Transfer Appliance.
In December 2020, two Advanced Persistent Threat groups linked to FIN11 and the CLOP ransomware gang exploited vulnerabilities in the Accellion File Transfer Appliance (FTA) and exfiltrated a large about of customer data. Customers included law firms, insurance companies, financial institutions, universities, and healthcare providers. The stolen data included names, dates of birth, contact information, Social Security numbers, driver’s license numbers, and healthcare information.
The Accellion FTA is a legacy solution that was historically used for sending files too large to send by email and has been in use for around 20 years. On April 30, 2021, the Accellion FTA reached end-of-life, and in the preceding months, Accellion was actively encouraging its FTA customers to upgrade to its replacement Kiteworks solution. The cyberattack occurred four months before the FTA solution was due to be retired.
In December 2020, Accellion identified a zero-day vulnerability and released a patch to fix the issue. A further four vulnerabilities were identified and issued with CVEs, and patches were issued to fix the flaws by February 2021. Accellion learned of attacks exploiting the vulnerabilities in January 2021, and said the vulnerabilities were exploited and data were stolen from fewer than 100 of its customers. Many of those customers had large amounts of sensitive information stolen. Victims included Trilium, Kroger, Stanford University School of Medicine, Community Health Plan, the University of California, Guidehouse, Qualys, Singtel, Royal Dutch Shell, Trinity Health, and many more.
Several lawsuits were filed in the wake of the data breach against Accellion and its customers. Kroger was one of the first companies to propose a settlement to resolve its class action lawsuit. The settlement of $5 million covers the 1.47 million pharmacy customers affected by the breach.
Now, Accellion has proposed an $8.1 million settlement in Californian federal court to resolve a class action lawsuit that accuses the company of negligence. The lawsuit alleged Accellion failed to implement and maintain appropriate data security practices which led to a breach of customer data. In addition, the lawsuit claims Accellion failed to detect vulnerabilities in its FTA solution and that it failed to disclose its security practices were inadequate.
Accellion denied all of the allegations in the lawsuit and the company accepts no liability for the data breach. The proposed settlement resolves all claims by residents of the United States whose personal information was stolen in the cyberattack and covers claims, notice costs, and the administration costs of users of the Accellion FTA. The size of the class is not known, but it covers at least the 9,200,000 class members who are being notified directly about the proposed settlement. Accellion said it will use its best efforts to determine the number and contact information for any additional class members but does not believe the total will change substantially.