Accellion reached an $8.1 million settlement in its class-action data breach lawsuit with the approximately 9.2 million individuals impacted by the monthslong hack of its file transfer application, which resulted in the theft of both consumer and patient data. Details of the lawsuit paint a clear message from the vendor that users were solely responsible for their own security, despite flaws in the software that left them vulnerable.
Hundreds of companies were affected, with the healthcare sector among the most impacted sectors. Accellion was the largest healthcare data breach of 2020, impacting 3.51 million patients from Centene, Kroger, Trinity Health, and a host of other provider organizations.
The lawsuit stemmed from the December 2020 exploit of several unpatched, zero-day vulnerabilities in the Accellion FTA, which allowed the threat actors to pivot into connected client networks and steal massive troves of personal and protected health information.
The motives behind the attack were initially unclear. By January 2021, multiple Accellion clients began to receive extortion emails directly from Clop hackers threatening to leak the data exfiltrated from the FTA. At least 100 companies from all sectors were impacted by the mass extortion effort, with some of the stolen data leaked online.
The breach victims soon responded with lawsuits against Accellion and multiple impacted clients. The lawsuits made serious allegations against Accellion, including failure to implement adequate security practices, failure to detect the vulnerabilities behind the exploit, and failure to “disclose that their data security practices were inadequate to safeguard” data.
“Accellion has denied all of the allegations and any liability and maintains that it did not owe a legal duty of care to [individuals] and acted reasonably,” according to the settlement proposal. Customers were responsible for managing their FTA instances, and the vendor does not manage or collect any data on behalf of its customers.
Further, the proposal asserted that “Accellion did not guarantee the security of the FTA software to customers. Its standard license agreement disclaimed such guarantees and included a broad limitation of liability for any damages resulting from a data breach.”
Thus, their argument is that clients were “solely responsible and liable for the use of and access to” the FTA software. Since the initial hack, ongoing industry discussions have centered around concerns the vendor was continuing to market its FTA, despite the known security flaws.
Accellion stopped licensing the FTA to new customers in 2016, but allowed previous customers to renew existing licenses. As such, the last security update for the vulnerable FTA was issued in February 2019. The settlement proposal explained Accellion performed five security scans and pen tests on the FTA after that date, the last in June 2020.
The newly announced settlement will resolve these ongoing claims on behalf of individuals whose data was stored on the FTA used by Accellion customers. The vendor will be required to ascertain the precise number of affected individuals and their contact information.
The settlement establishes a “non-reversionary cash fund of $8.1 million" to pay for any valid claims, notice, and administration costs of the impacted individuals. It also requires Accellion to pay $4.6 million of the funds into escrow within 10 days of a finalized settlement and another $3.5 million into escrow, another 10 days later, to “secure the settlement fund now.”
Under the settlement terms, breach victims can receive two years of credit monitoring and insurance services, as well as payments to reimburse documented losses up to $10,000 or a cash fund payment of between $15 to $50.
Perhaps more importantly, the settlement requires Accellion to fully retire the vulnerable FTA offering at the center of the hacking incident.
The “robust injunctive relief,” including the FTA retirement, must be implemented for four years after the settlement is finalized. It also includes a requirement for Accellion to maintain FedRAMP certification for its newer file sharing offering, known as Kiteworks.
Accellion is also required to expand its bug bounty program, provide annual cybersecurity training to all workforce members, hire personnel with “formal responsibilities for cybersecurity,” and periodically evaluate compliance with measures publicly displayed on its website.
“There are unique litigation risks that arise from the case against Accellion,” the settlement proposal explained. “Approval is further warranted by the fact that the settlement secures significant funds from a company that is unlikely to withstand a higher judgment.”
The attorneys stress the settlement proposal is fair, given that the impacted individuals can also seek additional recovery from pending lawsuits and “have already secured such potential recovery through pending settlements” from proposed settlements with Kroger, HealthNet, and FlagStar. Kroger reached a $5 million settlement with the 1.5 million customers affected by the Accellion data theft in June 2020.