The Accellion data breach that last year affected a variety of private- and public-sector organizations and compromised the personal data of millions of individuals could come to an $8.1 million resolution.

According to court documents in the case Stobbe v. Accellion, filed Wednesday in the U.S. District Court for the Northern District of California, the privately held file-sharing company (which rebranded as Kiteworks in October 2021) would be required to establish an $8.1 million cash fund in a proposed nationwide class-action settlement “to pay for valid claims, notice and administration costs, any service awards to the named plaintiffs, and any fee award and costs awarded by the court.”

The settlement would resolve only class claims against Accellion on behalf of all U.S. residents whose personal information was compromised in the attacks that targeted the file transfer appliance (FTA) systems of numerous high-profile Accellion customers. While the exact class size is unknown, 9.2 million class members are being notified, according to court documents.

The settlement would additionally provide “robust injunctive relief” that Accellion must implement for four years from the agreement’s effective date. Other proposed requirements mandate Accellion to:

  • Fully retire its FTA offering;
  • Maintain FedRAMP certification for its newer Kiteworks offering;
  • Expand its bug bounty program;
  • Provide annual cybersecurity training to all employees;
  • Employ personnel with formal responsibilities for cybersecurity; and
  • Periodically confirm compliance with the foregoing measures publicly on Accellion’s website.

In May 2021, Accellion announced approximately 75 percent of FTA customers affected by the breach already had migrated from its legacy product to the Kiteworks content firewall.

“Following the discovery of the zero-day vulnerability and prior to migrating, we offered FTA customers free forensic assistance, as well as an independent forensic analysis by FireEye Mandiant, access to Accellion senior management, migration services to Kiteworks, or migration assistance to customers who elected to terminate their relationship with Accellion,” said Accellion Chief Executive Jonathan Yaron in a press release at the time.

Massive breach

In mid-December 2020, Accellion notified customers that a data breach had compromised client data through certain vulnerabilities in its FTA software. While Accellion initially claimed it patched the FTA vulnerability within 72 hours, it later announced discovering new vulnerabilities. Authorities later determined the attacks were carried out by the Clop ransomware gang.

The breach was massive in nature, resulting in sensitive data being stolen from multiple government organizations; law firms; and companies in the healthcare, telecommunications, financial services, retail, energy, and higher education sectors.

Among Accellion’s high-profile clients that issued statements disclosing the breach included Bombardier, Kroger, Royal Dutch Shell, University of California, Stanford University, the University of Colorado, the Reserve Bank of New Zealand, and more. The U.S. Department of Health and Human Services warned of numerous healthcare organizations impacted.

The resulting class-action lawsuit asserted claims of negligence; invasion of privacy; and violations of various consumer protection laws, including the California Consumer Privacy Act (CCPA). Specifically, the complaint alleged Accellion failed to implement and maintain adequate data security practices to safeguard personal information; prevent the FTA data breach; detect security vulnerabilities leading to the data breach; and disclose its data security practices were inadequate.

Court documents state, “Accellion has denied all the allegations and any liability and maintains that it did not owe a legal duty of care to plaintiffs and acted reasonably.”

The Accellion data breach that last year affected a variety of private- and public-sector organizations and compromised the personal data of millions of individuals could come to an $8.1 million resolution.