In Wake of Breaches, Accellion Faces at Least 14 LawsuitsWill the Lawsuits Seeking Class-Action Status Be Consolidated?
At least 14 lawsuits seeking class-action status have been filed against Accellion in the wake of breaches that exploited zero-day flaws in the vendor's 20-year-old File Transfer Appliance. A motion to consolidate the cases has also been filed.
In recent weeks, many Accellion clients in healthcare and other sectors have issued breach notifications to their customers warning that their personal information was potentially exposed in FTA breaches (see: More Accellion Health Data Breaches Revealed).
The lawsuits, which allege that Accellion did not adequately address security shortcomings in its legacy FTA product, seek damages.
A lawsuit against Accellion and one of its clients, the supermarket chain Kroger, notes that "key people within Accellion have acknowledged the need to leave the FTA platform behind due to the security concerns raised by it."
Accellion’s CMO, Joel York, confirmed that the company "is encouraging its clients to discontinue use of FTA because it does not protect against modern data breaches," the lawsuit notes.
The lawsuit also points out that in a report in February, Accellion CISO Frank Balonis stated that “future exploits of [FTA] . . . are a constant threat. We have encouraged all FTA customers to migrate to Kiteworks [another Accellion product] for the last three years and have accelerated our FTA end-of-life plans in light of these attacks. We remain committed to assisting our FTA customers, but strongly urge them to migrate to Kiteworks as soon as possible.”
The lawsuit contends that "despite knowing that FTA left Accellion’s customers - like Kroger - and third parties interacting and transacting with its customers [their data] exposed to security threats, Accellion continued to offer and Kroger continued to utilize the FTA file transfer product at the time of the data breach.”
Accellion declined Information Security Media Group's request for comment on the lawsuits, and Kroger did not immediately respond to a request for comment.
The Issue of Negligence
Regulatory attorney Paul Hales of the Hales Law Group, who is not involved in the case, says that if Accellion is determined to have been negligent because it kept a product on the market despite known security flaws, organizations that had been warned of the security flaws and continued to use the product might also be found negligent.
"Accordingly, the actions of both Accellion and a customer using its flawed software with knowledge of the flaws could be liable for damages resulting from a data breach caused by use of the product," he says.
"The allegations call for extensive discovery. It likely will be a long time before it can be determined if there are sufficient facts to support plaintiffs' complaints."
Use of Outdated Product
The Kroger lawsuit alleges the company "through knowing, intentional and material omissions, concealed that its data privacy and security was inadequate and that it knowingly used unsecured file transfer software, namely the FTA platform, which put its pharmacy customers at risk of exposure."
As a result of Kroger’s alleged actions, plaintiffs and class members suffered damages, the lawsuit states. Those include lost control over sensitive personal Information, lost time addressing the consequences of the data breach and actual fraud or risk of future harm as a result of the theft of personal information, the lawsuit alleges.
Kroger "was informed by Accellion of the legacy and unsecured nature of FTA, and was told that it should switch over to a more secure platform, but failed to do so."
Still in Use
Accellion's legacy FTA product is still used by hundreds of organizations in the finance, healthcare, government and insurance sectors to transfer sensitive files (see: The Accellion Mess: What Went Wrong?).
An Accellion spokesman tells Information Security Media Group that fewer than 100 of approximately 300 FTA users were affected by the security incident. "Within this group, fewer than 25 appear to have suffered significant data theft," he says.
In mid-December, Accellion patched a SQL injection vulnerability in FTA and privately notified its customers. But that was just the first of a series of vulnerabilities that subsequently were found and patched, according to FireEye's Mandiant forensics unit, which has been retained by Accellion.
Some Accellion customers report subsequently being hit with a one-two punch: First, their data was stolen. Then they received emails from a criminal group called Clop asking for a ransom in exchange for not publishing the data online.
Some legal experts note the Accellion situation shines a spotlight on the security risks and potential liability issues involving the use of third-party legacy products.
Privacy attorney Iliana Peters of law firm Polsinelli notes that many entities continue to use legacy applications for years.
"The use of these legacy tools obviously creates risk, and sometimes significant risk, for those entities, as evidenced by security incidents over and over again - including in cyberattacks like WannaCry," she says.
"Both HIPAA requirements and industry guidance, including from the National Institute of Standards and Technology, require that entities implement a patch management program and either patch legacy tools, or implement reasonable compensating controls for such tools if a patch is no longer possible. In other words, just like with all of its other assets that hold sensitive data, any particular entity should understand the risks to its enterprise of using a legacy tool and implement safeguards to mitigate the risks, particularly if patches are no longer available."
Lessons to Learn
Technology attorney Steven Teppler of the law firm Mandelbaum Salsburg P.C. says the Accellion situation offers several important lessons for those using legacy products.
"Quite apart from patching, attention must be paid to products that are about to go obsolete and/or unsupported. Legacy hardware and software must be inventoried and evaluated from a risk perspective," he says. "A risk assessment by the customer should be taken, but this means also that, at minimum, the vendor should notify customers about the decreased security level of the appliance. It also depends on the terms and conditions."
In addition to the lawsuits filed against Accellion by consumers whose data was compromised, at least one of the company's clients - insurer Centene Corp., has also filed a lawsuit against the company, alleging that Accellion refused to comply with a list of provisions in its business associate agreement.