The tech firm Accellion in Palo Alto, CA made a proposal for an $8.1 million settlement to take care of a class action data breach suit that was filed on behalf of affected individuals of the cyberattack on the Accellion File Transfer Appliance (FTA) in December 2020.
The Accellion FTA is a legacy program that is employed for securely transferring files that are so large to be sent through email. The Accellion FTA was used for more than 20 years and hit its end of life. Its support service ended on April 30, 2021. Accellion had created a new platform, Kiteworks, and customers were urged to switch from the legacy solution; nevertheless, a substantial number of entities continued utilizing the FTA solution during the cyberattack.
In December 2020, two unfamiliar Advanced Persistent Threat (APT) groups connected to FIN11 and the CLOP ransomware gang exploited unpatched vulnerabilities in the Accellion FTA, acquired access to the information of its clients, and exfiltrated a considerable amount of information. Right after the breach, four vulnerabilities related to the breach were disclosed and assigned CVEs.
The breach impacted Accellion customers including banks, law firms, educational institutions, and healthcare companies. A lot of the documents that belong to healthcare institutions included sensitive patient and health plan member information. Healthcare agencies affected by the breach were the following
- Arizona Complete Health
- Health Net of California
- Health Net Community Solutions
- California Health & Wellness
- Kroger
- The University of California
- Trinity Health
- Trillium
- Stanford University School of Medicine
- University of Miami Health
- Community Health Plan
- Health Employees’ Pension Plan
- CalViva Health
Subsequent to the attack, a number of lawsuits were submitted against Accellion and its clients because of the data breach. The class-action lawsuit versus Accellion stated the company was unable to employ and maintain appropriate data security procedures to safeguard the sensitive information of its clients, did not recognize the Accellion FTA’s security vulnerabilities, didn’t reveal its security practices were not enough, and was unable to stop the data breach. Because of the attack, highly sensitive data was stolen, which include names, contact data, dates of birth, healthcare data, Social Security numbers, and driver’s license numbers.
Accellion denied all of the allegations in the lawsuit and admits no liability for the security breach. The company stated in the settlement agreement that it isn’t liable for managing, updating, and keeping clients’ instances of the FTA software program. Accellion additionally mentioned the firm does not gather any customer information, doesn’t access the data of files shared or saved through the FTA solution, and offered no guarantees to customers that the FTA software was safe.
It is uncertain how many people will be covered by the settlement, however, the number is definitely around 9.2 million persons. Accellion will try to acquire up-to-date contact details for those people to be able to deliver notices of the offered settlement. The planned settlement consists of a cash fund of $8.1 million to handle claims, notices, administration expenses, and service awards to impacted clients of the Accellion FTA. $4.6 million of the $8.1 million cash fund will be provided within 10 days, while the remainder will be available in 10 days of the settlement being accepted.
Affected persons will be eligible to sign up for 24 months of three-bureau credit monitoring and insurance services, get repayment for reported losses of up to $10,000, or get a cash payment, which is estimated to be around $15 to $50. Accellion will additionally fully stop using the Accellion FTA and take action to make certain the protection of its substitute Kiteworks software. Those actions include escalating its bug bounty program, retaining FedRAMP certification, hiring people responsible for cybersecurity, providing cybersecurity training to its employees, and making regular checks to validate continued observance of the cybersecurity measures specified in the settlement.
The proposed settlement will resolve all claims against Accellion only. There are other lawsuits and settlements versus customers affected by the data breach. The supermarket company Kroger has suggested a $5 million settlement to take care of lawsuits filed on behalf of the 3.8 million workers and clients impacted by the cyberattack.