Accellion Settles Class-Action Lawsuit for $8.1M Following Data Breach

January 19, 2022 - Accellion reached an $8.1 million settlement to resolve a class-action lawsuit that resulted from a December 2020 data breach involving zero-day vulnerabilities in the company’s File Transfer Appliance (FTA), Reuters reported. The data breach impacted millions of individuals at the time.

Accellion denied all allegations of failure to implement proper data security practices and failure to detect security vulnerabilities. The breach impacted a number of healthcare organizations, including Beaumont Health, Trinity Health, Kroger Health, and Centene, among others.

In the settlement proposal filed in the US District Court for the Northern District of California, the plaintiffs explained that under its standard license agreement, “Accellion did not guarantee the security of the FTA software to customers.”

In fact, Accellion explicitly stated that FTA customers were responsible for managing, maintaining, and updating the FTA software. In 2014, Accellion launched Siteworks as a successor to the FTA, and later stopped licensing FTA to new customers. However, existing customers could renew FTA licenses.

The class members alleged that Accellion violated the Washington Consumer Protection Act, the California Consumer Privacy Act, North Carolina Unfair Deceptive Trade Practices Act, and other consumer protection statutes.

Prior to the breach, the last security update for FTA was issued in February 2019.

“In December 2020 and then again in January 2021, cyber-criminals exploited multiple ’zero-day‘ vulnerabilities—vulnerabilities that had never been discovered in FTA’s decades of service, despite penetration testing and other monitoring by both Accellion and its customers, as well as scrutiny by external security researchers through Accellion’s bug bounty program—in the FTA, allowing the criminals to illegally access information stored on FTA Customers’ systems,” the filing explained.

The vulnerabilities were so widespread that cybersecurity officials from the US, Singapore, Australia, New Zealand, and the UK released a joint advisory in February 2021 warning Accellion FTA customers of the highly exploitable vulnerabilities. Researchers later tied FTA exploits to FIN11 and Clop ransomware actors.

The settlement requires Accellion to pay $4.6 million of the settlement fund into escrow within 10 business days of the agreement. The additional $3.5 million must be placed into escrow 10 business days after the settlement is preliminarily approved.

The settlement also requires Accellion to give claimants an option between two years of credit monitoring services, reimbursement of documented losses of up to $10,000, or an estimated cash fund payment of $15 to $50.

In addition, the settlement requires Accellion to retire its FTA offering, expand its annual cybersecurity training, and “periodically confirm compliance with the foregoing measures publicly on Accellion’s website,” the filing continued.

The breach highlighted the importance of third-party vendor risk assessments and cybersecurity across all sectors.