Accellion Reaches $8.1 Million Settlement Over FTA Data Breach
Enterprise content firewall provider Accellion has reached an $8.1 million settlement to end a lawsuit over a data breach involving its legacy file sharing service FTA, Reuters reports.
Accellion, which changed its brand name to Kiteworks in October 2021, provides services such as secure email, collaboration, content access, file sharing, and enterprise app sharing capabilities.
Starting mid-December 2020, Accellion FTA – a 20-year-old legacy service that was finally retired in April 2021 – was the target of a cyberattack that continued into January 2021, and which resulted in the compromise of data pertaining to multiple Accellion customers (the company claims that fewer than 100 clients were affected).
The cyberattack was attributed to the financially-motivated advanced persistent threat (APT) actor FIN11. Operating out of Russia, FIN11 is believed to be a TA505 spin-off.
Some of the organizations that have confirmed impact from the incident include the Australian Securities and Investments Commission (ASIC), business jet manufacturer Bombardier, law firm Jones Day, grocery and pharmacy chain Kroger, investment banking firm Morgan Stanley, the Office of the Washington State Auditor (SAO), cybersecurity firm Qualys, the Reserve Bank of New Zealand, Shell, Singapore telecoms firm Singtel, and University of California (UC).
In May 2021, professional services firm KPMG published a report claiming that Accellion failed to notify customers of the zero-day vulnerability that was exploited in the December 2020 cyberattack.
Accellion also faces claims that it failed to secure the sensitive information that customers entrusted to it, settlement papers filed in a California federal court show. The compromised information is said to include names, dates of birth, medical information, drivers’ license details, and Social Security numbers.
The settlement, Reuters reports, would resolve only the litigation against Accellion, but not those against Accellion clients impacted by the incident. Agreements are pending in cases against those clients.
Related: CISA Lists 300 Exploited Vulnerabilities That Organizations Need to Patch
Related: Cybercriminals Publish Data Allegedly Stolen From Shell, Multiple Universities