Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Incident Response

Accellion Reaches $8.1 Million Settlement Over FTA Data Breach

Enterprise content firewall provider Accellion has reached an $8.1 million settlement to end a lawsuit over a data breach involving its legacy file sharing service FTA, Reuters reports.

Enterprise content firewall provider Accellion has reached an $8.1 million settlement to end a lawsuit over a data breach involving its legacy file sharing service FTA, Reuters reports.

Accellion, which changed its brand name to Kiteworks in October 2021, provides services such as secure email, collaboration, content access, file sharing, and enterprise app sharing capabilities.

Starting mid-December 2020, Accellion FTA – a 20-year-old legacy service that was finally retired in April 2021 – was the target of a cyberattack that continued into January 2021, and which resulted in the compromise of data pertaining to multiple Accellion customers (the company claims that fewer than 100 clients were affected).

The cyberattack was attributed to the financially-motivated advanced persistent threat (APT) actor FIN11. Operating out of Russia, FIN11 is believed to be a TA505 spin-off.

Some of the organizations that have confirmed impact from the incident include the Australian Securities and Investments Commission (ASIC), business jet manufacturer Bombardier, law firm Jones Day, grocery and pharmacy chain Kroger, investment banking firm Morgan Stanley, the Office of the Washington State Auditor (SAO), cybersecurity firm Qualys, the Reserve Bank of New Zealand, Shell, Singapore telecoms firm Singtel, and University of California (UC).

In May 2021, professional services firm KPMG published a report claiming that Accellion failed to notify customers of the zero-day vulnerability that was exploited in the December 2020 cyberattack.

Accellion also faces claims that it failed to secure the sensitive information that customers entrusted to it, settlement papers filed in a California federal court show. The compromised information is said to include names, dates of birth, medical information, drivers’ license details, and Social Security numbers.

The settlement, Reuters reports, would resolve only the litigation against Accellion, but not those against Accellion clients impacted by the incident. Agreements are pending in cases against those clients.

Advertisement. Scroll to continue reading.

Related: CISA Lists 300 Exploited Vulnerabilities That Organizations Need to Patch

Related: Cybercriminals Publish Data Allegedly Stolen From Shell, Multiple Universities

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...