The class action lawsuit was filed on behalf of victims whose personal information was exposed during a cyber-attack on Accellion’s file transfer appliance (FTA).
Accellion had been using the FTA for more than 20 years to securely share files deemed too sensitive or large to be sent over email. Before the cyber-attack occurred, Accellion actively phased out the FTA and encouraged its clients to use a newly developed file transfer solution named Kiteworks.
Four months before the legacy file transfer solution was due to be retired on April 30 2021, it was attacked by two advanced persistent threat (APT) groups linked to FIN11 and the CLOP ransomware gang.
By exploiting unpatched vulnerabilities in the FTA, the attackers were able to gain access to the files of Accellion’s clients from which they exfiltrated a sizable amount of data.
Sensitive data potentially compromised and stolen in the incident included names, contact information, dates of birth, Social Security numbers, driver’s license numbers and healthcare data.
Many Accellion clients were impacted by the breach, including Shell, The University of California, Stanford University School of Medicine, Bombardier, University of Miami Health, Trillium, Community Health Plan and Kroger.