[BreachExchange] In Wake of Breaches, Accellion Faces at Least 14 Lawsuits

[Destry Winant]

https://www.healthcareinfosecurity.com/in-wake-breaches-accellion-faces-at-least-14-lawsuits-a-16360

At least 14 lawsuits seeking class-action status have been filed
against Accellion in the wake of breaches that exploited zero-day
flaws in the vendor's 20-year-old File Transfer Appliance. A motion to
consolidate the cases has also been filed.

In recent weeks, many Accellion clients in healthcare and other
sectors have issued breach notifications to their customers warning
that their personal information was potentially exposed in FTA
breaches (see: More Accellion Health Data Breaches Revealed).

The lawsuits, which allege that Accellion did not adequately address
security shortcomings in its legacy FTA product, seek damages.

Outdated Product

A lawsuit against Accellion and one of its clients, the supermarket
chain Kroger, notes that "key people within Accellion have
acknowledged the need to leave the FTA platform behind due to the
security concerns raised by it."

Accellion’s CMO, Joel York, confirmed that the company "is encouraging
its clients to discontinue use of FTA because it does not protect
against modern data breaches," the lawsuit notes.

The lawsuit also points out that in a report in February, Accellion
CISO Frank Balonis stated that “future exploits of [FTA] . . . are a
constant threat. We have encouraged all FTA customers to migrate to
Kiteworks [another Accellion product] for the last three years and
have accelerated our FTA end-of-life plans in light of these attacks.
We remain committed to assisting our FTA customers, but strongly urge
them to migrate to Kiteworks as soon as possible.”

The lawsuit contends that "despite knowing that FTA left Accellion’s
customers - like Kroger - and third parties interacting and
transacting with its customers [their data] exposed to security
threats, Accellion continued to offer and Kroger continued to utilize
the FTA file transfer product at the time of the data breach.”

Accellion declined Information Security Media Group's request for
comment on the lawsuits, and Kroger did not immediately respond to a
request for comment.

The Issue of Negligence

Regulatory attorney Paul Hales of the Hales Law Group, who is not
involved in the case, says that if Accellion is determined to have
been negligent because it kept a product on the market despite known
security flaws, organizations that had been warned of the security
flaws and continued to use the product might also be found negligent.

"Accordingly, the actions of both Accellion and a customer using its
flawed software with knowledge of the flaws could be liable for
damages resulting from a data breach caused by use of the product," he
says.

"The allegations call for extensive discovery. It likely will be a
long time before it can be determined if there are sufficient facts to
support plaintiffs' complaints."

Use of Outdated Product

The Kroger lawsuit alleges the company "through knowing, intentional
and material omissions, concealed that its data privacy and security
was inadequate and that it knowingly used unsecured file transfer
software, namely the FTA platform, which put its pharmacy customers at
risk of exposure."

As a result of Kroger’s alleged actions, plaintiffs and class members
suffered damages, the lawsuit states. Those include lost control over
sensitive personal Information, lost time addressing the consequences
of the data breach and actual fraud or risk of future harm as a result
of the theft of personal information, the lawsuit alleges.

Kroger "was informed by Accellion of the legacy and unsecured nature
of FTA, and was told that it should switch over to a more secure
platform, but failed to do so."

Still in Use

Accellion's legacy FTA product is still used by hundreds of
organizations in the finance, healthcare, government and insurance
sectors to transfer sensitive files (see: The Accellion Mess: What
Went Wrong?).

An Accellion spokesman tells Information Security Media Group that
fewer than 100 of approximately 300 FTA users were affected by the
security incident. "Within this group, fewer than 25 appear to have
suffered significant data theft," he says.

In mid-December, Accellion patched a SQL injection vulnerability in
FTA and privately notified its customers. But that was just the first
of a series of vulnerabilities that subsequently were found and
patched, according to FireEye's Mandiant forensics unit, which has
been retained by Accellion.

Some Accellion customers report subsequently being hit with a one-two
punch: First, their data was stolen. Then they received emails from a
criminal group called Clop asking for a ransom in exchange for not
publishing the data online.

Legacy Risk

Some legal experts note the Accellion situation shines a spotlight on
the security risks and potential liability issues involving the use of
third-party legacy products.

Privacy attorney Iliana Peters of law firm Polsinelli notes that many
entities continue to use legacy applications for years.

"The use of these legacy tools obviously creates risk, and sometimes
significant risk, for those entities, as evidenced by security
incidents over and over again - including in cyberattacks like
WannaCry," she says.

"Both HIPAA requirements and industry guidance, including from the
National Institute of Standards and Technology, require that entities
implement a patch management program and either patch legacy tools, or
implement reasonable compensating controls for such tools if a patch
is no longer possible. In other words, just like with all of its other
assets that hold sensitive data, any particular entity should
understand the risks to its enterprise of using a legacy tool and
implement safeguards to mitigate the risks, particularly if patches
are no longer available."

Lessons to Learn

Technology attorney Steven Teppler of the law firm Mandelbaum Salsburg
P.C. says the Accellion situation offers several important lessons for
those using legacy products.

"Quite apart from patching, attention must be paid to products that
are about to go obsolete and/or unsupported. Legacy hardware and
software must be inventoried and evaluated from a risk perspective,"
he says. "A risk assessment by the customer should be taken, but this
means also that, at minimum, the vendor should notify customers about
the decreased security level of the appliance. It also depends on the
terms and conditions."

In addition to the lawsuits filed against Accellion by consumers whose
data was compromised, at least one of the company's clients - insurer
Centene Corp., has also filed a lawsuit against the company, alleging
that Accellion refused to comply with a list of provisions in its
business associate agreement.