Accellion Facing Class Action Over Dec. 2020 File Transfer Service Data Breach [UPDATE]
Last Updated on January 20, 2022
Zebelman v. Accellion, Inc.
Filed: February 18, 2021 ◆§ 5:21-cv-01203
Accellion faces a proposed class action over a Dec. 2020 data breach affecting clients ranging from law firms to government agencies to universities.
Case Updates
January 20, 2022 – Accellion Agrees to Settle Data Breach Class Actions for $8.1 Million
Accellion has agreed to pay $8 million to settle the proposed class action detailed on this page and a number of related lawsuits filed over the company’s alleged failure to safeguard client data stored on and/or shared with the Accellion FTA file transfer service.
The proposed settlement, which awaits preliminary approval from U.S. District Judge Edward J. Davila before proceeding, would cover all U.S. residents whose personal information was stored on Accellion’s FTA system and was compromised in the 2020 data breach. It is estimated that at least 9.2 million individuals are covered.
If approved, the settlement will allow eligible consumers to elect to receive two years of three-bureau credit monitoring and insurance services, a payment for reimbursement of documented data breach-related losses up to $10,000 or a cash payment estimated between $15 to $50. The settlement terms also require Accellion to fully retire its FTA service, maintain FedRAMP certification for its newer Kiteworks product, expand its “bug bounty” program, provide employees with annual cybersecurity training and periodically confirm compliance with the foregoing measures publicly on its website.
“The Settlement compares favorably with other data breach settlements on a per capita basis, even outside of the unique circumstances surrounding this case,” the plaintiffs told the court.
Those covered by the deal will receive a notice of the settlement via e-mail or regular mail with information on how to submit a claim. A settlement website is also expected to be established.
Don’t miss out on settlement news like this. Sign up for ClassAction.org’s free weekly newsletter here.
Accellion, Inc. faces a proposed class action over its alleged failure to properly safeguard large amounts of sensitive client information stored on and/or shared with its Accellion FTA file transfer service.
The 31-page lawsuit says Accellion, whose clients include law firms, government agencies and universities, “knew or should have known” the importance and necessity of protecting the large and sensitive files shared through its Accellion FTA service yet negligently allowed an “unauthorized person” to access the information in a December 20, 2020 data breach.
According to the complaint, the information compromised in the breach included proposed class members’ names, social security and/or driver’s license or state identification numbers, dates of birth, bank account and routing numbers and/or places of employment. The suit, filed in California federal court, charges Accellion clients’ information was compromised due to the company’s “negligent or careless acts and omissions.”
“By obtaining, collecting, using, and deriving a benefit from Plaintiff’s and Class Members’ [personally identifiable information], Defendant assumed legal and equitable duties to those individuals,” the lawsuit says of Accellion’s responsibility to safeguard the data in its care.
As the lawsuit tells it, the harm sustained by Accellion’s clients includes lost or diminished value of the compromised information; out-of-pocket expenses associated with preventing, detecting and recovering from identity theft, tax fraud or unauthorized use of the data; lost opportunity costs linked to attempting to mitigate the actual consequences of the data breach; and the continued risk to the information involved in the incident.
Accellion “disregarded the rights of Plaintiff and Class Members” by failing to ensure their sensitive information was properly safeguarded, the complaint scathes.
According to the complaint, Accellion claims to have notified its customers of the data breach on December 23, three days after it reportedly took place. On January 12, 2021, the company issued a press release in which it stated it had resolved the vulnerability linked to the incident and “released a patch within 72 hours to the less than 50 customers affected,” the suit says.
Over the following days, Accellion customers, such as the Reserve Bank of New Zealand and the Australian Securities and Investments Commission (ASIC), announced they had been affected by the data breach, the case relays. In its announcement, however, ASIC “rais[ed] doubt” as to Accellion’s claim that it had notified all Accellion FTA customers of the data breach incident, the lawsuit says.
On February 1, the Office of the Washington State Auditor (SAO) added its name to the list of entities affected by the breach, the case continues. According to the lawsuit, the Washington SAO, in its announcement of the incident, said it had used the Accellion FTA service prior to the data breach to transfer the personal information of roughly 1.6 million Washington residents contained in the state’s Employment Security Department files, specifically those who filed unemployment insurance claims in 2020.
As with ASIC, the Washington SAO also raised doubt as to whether Accellion actually notified all affected customers, the suit says, noting the University of Colorado, the plaintiff’s alma mater, took a similar tract in notifying the world that it was “one of some 300 Accellion customers” hit in the attack.
According to the complaint, Singtel, a Singapore telephone company; QIMR Berghofer, an Australian medical research institute; and the Jones Day law firm all subsequently announced they were among those affected by the Accellion data breach.
As a result of the incident, the plaintiff and proposed class members now face “years of constant surveillance of their financial and personal records, monitoring, and loss of rights,” and will continue to incur damages in addition to any fraudulent use of the personal information that may arise.
Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s free weekly newsletter here.
Before commenting, please review our comment policy.