American Bank Systems Ransomware Attack Class Action

The 2020 ransomware attack on American Bank Systems, Inc. (ABS) did not involve a freezing of information: the hackers simply threatened to expose the data if the ransom was not paid. The complaint for this class action alleges that ABS bears responsibility for the vulnerability of the information, for its subsequent exposure, and also for not providing timely and adequate warning to those affected.

The class for this action is all individuals in the US and its territories whose PII was exposed in the data breach of American Bank Systems which took place between October and November 2020.

ABS, which is headquartered in Oklahoma, offers document management and compliance software for use in the financial services industry. The complaint quotes the ABS website as saying that the company “is serving more than 350 banks, credit unions and other financial institutions in 35 states—and counting.”

But was it careful enough with its own information? The complaint says no: “ABS failed to comply with industry standards to protect information systems that contain … PII, failed to take reasonable steps to prevent the PII from being disclosed, and failed to provide timely, accurate, and adequate notice to [those affected] that their PII had been compromised.”

The vehicle for the hack on ABS’s systems was Avaddon, a new variety of ransomware. In November 2020, the complaint says, the Avaddon hackers, “published a ‘leak warning’ claiming that they had successfully hacked into ABS’s information systems and collected over 50 gigabytes of data from ABS and its customers.” Certain sources claimed that the group had previously published 4 gigabytes of information from the database and threatened ABS with publication of the remainder unless ABS paid the ransom the group was demanding.

It appears that ABS did not pay the requested ransom, because the Avaddon group subsequently published 52.57 gigabytes of additional information.

The information included personally identifiable information (PII), including names, dates of birth, bank account and loan information, and Social Security numbers. The complaint alleges, “Much of the data that was disclosed appears to have been stored by ABS in unencrypted, plain-text files—meaning that anyone who gained access to the files could fully read the information (and sensitive PII) therein.”

The counts include negligence, negligence per se, unjust enrichment, and violations of the Oklahoma Consumer Protection Act. The complaint also asks that the court make a declaratory judgment, declaring (1) that ABS has a legal duty to properly safeguard consumers’ PII and to timely notify them of any data breach, and (2) that ABS is still failing to use reasonable security measures to protect consumers’ PII.

Article Type: Lawsuit
Topic: Privacy

Most Recent Case Event

American Bank Systems Ransomware Attack Complaint

December 30, 2020

The 2020 ransomware attack on American Bank Systems, Inc. (ABS) did not involve a freezing of information: the hackers simply threatened to expose the data if the ransom was not paid. The complaint for this class action alleges that ABS bears responsibility for the vulnerability of the information, for its subsequent exposure, and also for not providing timely and adequate warning to those affected.

American Bank Systems Ransomware Attack Complaint

Case Event History

American Bank Systems Ransomware Attack Complaint

December 30, 2020

The 2020 ransomware attack on American Bank Systems, Inc. (ABS) did not involve a freezing of information: the hackers simply threatened to expose the data if the ransom was not paid. The complaint for this class action alleges that ABS bears responsibility for the vulnerability of the information, for its subsequent exposure, and also for not providing timely and adequate warning to those affected.

American Bank Systems Ransomware Attack Complaint
Tags: Exposing Private Information, Exposure to cyber crime, Ransomware Attack, Your Privacy