[BreachExchange] American Bank Systems slapped with class-action lawsuit for not timely disclosing ransomware data breach

[Destry Winant]

https://securityreport.com/american-bank-systems-slapped-with-class-action-lawsuit-for-not-timely-disclosing-ransomware-data-breach/

This year, American Bank Systems (ABS) was hit with a ransomware
attack as reported by Security Report, which the company failed to
disclose to its customers in time.

As a part of this data breach, a full 53 GB dump of the data
pertaining to ABS and its clients —which include multiple banking
names and mortgage companies, such as First Federal Community Bank,
Rio Bank, Citizens Bank of Swainsboro, First Bank & Trust, and so on,
was leaked by the threat actors after several attempts to extort a
ransom payment.

This data included the banking customers’ personally identifiable
information (PII) such as loan records, SSNs, documents, emails,
contracts, network shares, and passwords to sensitive drives.

A Law360 news report published yesterday states ABS has now been
slapped with a class-action lawsuit due to its failure to protect
their customers’ information, and for keeping them in the dark for
weeks after the initial ransomware attack.

“As a result of ABS’s failure to implement and follow basic security
procedures, plaintiff’s and class members’ PII is now in the hands of
criminals,” read the complaint, filed Wednesday in a Pennsylvania
federal court.

“Plaintiff and class members face a substantial increased risk of
identity theft, both currently and for the indefinite future.
Consequently, plaintiff and class members have had to spend, and will
continue to spend, significant time and money in the future to protect
themselves due to ABS’s failures.”

As far as the timeline is concerned, Security Report analyzed the
timestamps on the leaked files and deduced the cyber attack had struck
American Bank Systems sometime in or before early October.

It wasn’t until November 18th, however, nearly 4 days after our
report, that the company began disclosing to its customers the details
of the data breach. ABS had also not responded to our request for
comment.

“According to NexTier Bank, it was not notified by ABS of the data
breach until November 18, 2020, which was at least several weeks after
the incident began, and more than two weeks after the data breach was
first publicly reported,” the complaint further reads.

The class-action lawsuit is brought forward by plaintiff Mitchell
Lautman, a citizen and resident of the Commonwealth of Pennsylvania,
and a customer of NexTier whose PII was exposed as a result of this
data breach.

By not sufficiently protecting sensitive data the lawsuit alleges ABS
was in breach of Federal Trade Commission (FTC) rules and put
customers at the risk of identity theft for years to come.

“ABS, a company that promotes its trustworthiness, has a
responsibility to securely maintain the customer PII that it receives
and keep it safe from harm. ABS was on notice that PII, specifically
when it includes financial information, is a prime target for data
breaches,” states the 26-page court filing.

While more details pertaining to this case are yet to come, this is a
reminder to companies and financial institutions to prioritize data
security, and to not delay in disclosing crucial matters to their
customers, such as a data breach.