Accellion Reaches $8.1m Data Breach Settlement

Californian technology company Accellion Inc has reached an $8.1m settlement to resolve a legal claim relating to a data breach in December 2020.

The class action lawsuit was filed on behalf of victims whose personal information was exposed during a cyber-attack on Accellion’s file transfer appliance (FTA).

Accellion had been using the FTA for more than 20 years to securely share files deemed too sensitive or large to be sent over email. Before the cyber-attack occurred, Accellion actively phased out the FTA and encouraged its clients to use a newly developed file transfer solution named Kiteworks. 

Four months before the legacy file transfer solution was due to be retired on April 30 2021, it was attacked by two advanced persistent threat (APT) groups linked to FIN11 and the CLOP ransomware gang.

By exploiting unpatched vulnerabilities in the FTA, the attackers were able to gain access to the files of Accellion’s clients from which they exfiltrated a sizable amount of data.

Sensitive data potentially compromised and stolen in the incident included names, contact information, dates of birth, Social Security numbers, driver’s license numbers and healthcare data.

Many Accellion clients were impacted by the breach, including Shell, The University of California, Stanford University School of Medicine, Bombardier, University of Miami Health, Trillium, Community Health Plan and Kroger.

Accellion identified a zero-day vulnerability in the product in mid-December 2020 and released a patch to address the flaw. By February 2021, four additional vulnerabilities associated with the platform were disclosed and issued CVEs.

The class action lawsuit accused Accellion of failing to implement and maintain appropriate data security practices to protect its clients’ sensitive data and failing to detect vulnerabilities in the security of its FTA. Plaintiffs also alleged that Accellion failed to disclose the inadequacy of its security practices.

According to documents filed in Californian federal court, Accellion accepts no liability for the breach and has denied all of the allegations. The tech company has proposed a settlement that includes $8.1m to cover the claims, notices and administration costs of Accellion FTA users.

What’s Hot on Infosecurity Magazine?