3rd Party Risk Management , Application Security , Breach Notification
Accellion Agrees to $8.1 Million Breach SettlementAccellion Denies All Allegations, Settles to End Litigation Over FTA Breach
More than a year after the December 2020 cyberattack on Accellion's File Transfer Appliance, the company has agreed to an $8.1 million settlement to resolve a class action over the data exposure that resulted in the theft of both consumer and patient data. After "arduous, arm’s-length negotiations," the plaintiffs won at a California federal court.
See Also: LIVE Webinar | Stop, Drop (a Table) & Roll: An SQL Highlight Discussion
"Plaintiffs request that the Court preliminarily approve a nationwide class action settlement that would resolve all of the class’s claims against Accellion only, on behalf of all natural persons who are residents of the United States whose Personal Information was stored on the FTA systems of Accellion’s FTA Customers and was compromised in the Attacks," states a motion for preliminary approval of the settlement.
A spokesperson for Accellion was not immediately available to comment on the development.
Accellion Denies Allegations
The class action complaint against Accellion alleged that the company failed to implement and maintain adequate data security practices to safeguard its customers' personal information, failed to prevent the attacks and the FTA data breach, failed to detect security vulnerabilities leading to the attacks, and failed to disclose that its data security practices were inadequate to safeguard personal information. Data reported exposed included names, birthdates, Social Security numbers and medical and drivers' license information.
In its defense, Accellion denies all of the allegations and any liability and maintains that it did not owe a legal duty of care to the plaintiffs and acted reasonably, according to its motion filed for settlement.
Accellion said that its file transfer service vendor customers are responsible for managing, maintaining and updating their instances of the FTA software and that Accellion does not manage its customers' FTA systems.
"Accellion does not collect any data on behalf of its FTA Customers and also does not access the content of information its customers choose to store or transfer with FTA," according to the settlement proposal, which also says, "Accellion did not guarantee the security of the FTA software to customers."
"The exact class size is unknown, but includes approximately 9,200,000 Class Members to whom direct notice is being sent. Under the terms of the Settlement, Accellion will use its best efforts to ascertain the number of - and contact information for - any additional Class Members to whom direct notice may be sent under the Settlement to achieve the best notice practicable, but the Parties do not anticipate this number to increase substantially," according to settlement papers filed in California federal court.
The settlement establishes a non-reversionary cash fund of $8.1 million to pay for valid claims, notice and administration costs, and any service awards to the affected users of the FTA.
"It requires Accellion to pay $4,600,000 of the settlement fund into escrow within ten business days of the execution of the settlement agreement, with the remaining $3,500,000 to be placed into escrow ten business days after the settlement is preliminarily approved. These escrow payments will secure the settlement fund now, eliminating the risk of nonpayment from Accellion," according to the settlement proposal.
Under the settlement terms, the victims can receive two years of three-bureau Credit Monitoring and Insurance Services or a payment for reimbursement of documented losses of up to $10,000 or a cash fund payment, calculated in accordance with the terms of the settlement agreement, estimated at $15 to $50.
In addition, the settlement proposal requires Accellion to fully retire its FTA offering, maintain FedRAMP certification for its newer Kiteworks offering, expand its bug bounty program, provide annual cybersecurity training to all employees, employ personnel with formal responsibilities for cybersecurity, and to periodically confirm compliance with the foregoing measures publicly on Accellion’s website.
"The settlement also provides robust injunctive relief to be implemented for four years from the Effective Date of the Settlement," the proposal says.
In late 2020 and early 2021, Accellion disclosed to its FTA customers that threat actors had breached Accellion client data via certain vulnerabilities in the FTA software. These threat actors were then able to steal sensitive data from many Accellion clients, including corporations, law firms, banks, universities, and healthcare and other entities.
The Palo Alto-based tech company's File Transfer Appliance was used by several organizations, including many healthcare institutions. The U.S. Department of Health and Human Service's HIPAA Breach Reporting Tool website reports several large breaches tied to attacks on unpatched Accellion FTA installations.
Among the victims were health plans owned by Centene Corp., which filed a lawsuit against Accellion in the wake of the incident. Those health plans affected are: Health Net Community Solutions, with nearly 687,000 individuals affected; Health Net of California, with 524,000 individuals affected; California Health & Wellness, with 80,000 affected; Health Net Life Insurance Co., with nearly 27,000 affected (see: More Accellion Health Data Breaches Revealed).
Other victims include Trinity Health, Stanford University School of Medicine, the University of California, and UC Davis. Supermarket chain Kroger, Springfield, Illinois-based Southern Illinois University School of Medicine; Trillium Community Health Plan based in Springfield, Oregon; and Canada-based Nova Scotia Health Employees’ Pension Plan also confirmed they were victims.
This particular settlement resolves claims against Accellion, but there are also pending agreements in cases against several Accellion clients.
Under a proposed settlement filed in a California federal court, the supermarket chain Kroger agreed to pay $5 million to resolve claims in several class action lawsuits filed in the wake of the data breach affecting more than 3.8 million employees and customers that involved Accellion.
The lawsuits filed by the companies claim that "despite knowing that FTA left Accellion’s customers - like Kroger - and third parties interacting and transacting with [its customers' data] exposed to security threats, Accellion continued to offer and Kroger continued to utilize the FTA file transfer product at the time of the data breach."