It seems that personally identifiable information (PII) can now get exposed not just through a company that does not take adequate care of it, but also through its vendors, and even its vendors’ vendors. This class action concerns a data breach that exposed the information of customers of Banco Popular de Puerto Rico, which occurred through one of its vendors, via a vulnerability in a legacy file-sharing software product from Accellion called Accellion FTA.
The Nationwide Class for this action is all individuals living in the US whose PII was accessed during the security incident referenced in the notice sent out on or around June 25, 2021.
The complaint quotes a version of the June 25, 2021 notice that was provided to the Attorney General of Montana as saying, “We write to inform you that a vendor of Popular has informed us that it was a victim of a cybersecurity breach that included Popular files.” According to the complaint, Popular used that unnamed vendor to store or share information on its customers.
The notice, as quoted in the complaint, also said, “The breach involved the compromise of software owned by Accellion, Inc. that our vendor had used to for secure file transfer for its customers, including Popular.” The notice claimed that the vendor had stopped using the affected software.”
The information compromised, the complaint alleges, included names, addresses, accounts, and/or Social Security numbers.
“However,” the complaint claims, “the details of the root cause of the Data breach, the vulnerabilities exploited, and the remedial measures undertaken to ensure a breach does not occur again have not been shared with regulators or Plaintiff and Class Members…”
Accellion FTA was an older software program for file sharing that had been offered by Accellion. The complaint alleges, “On May 18, 2021, Accellion announced that 75% of its customers impacted by the exploitation of the vulnerability in Accellion FTA had migrated to another Accellion product known as ‘Kiteworks.’” Accellion made clear that Accellion FTA was a “legacy” product and “further asserted that Kiteworks, unlike Accellion FTA, was a ‘modern, secure’ platform for protecting third-party communications.”
Since Accellion FTA was a “legacy” program, the complaint says, Banco Popular “should have migrated to Kiteworks or another superior solution before the Data Breach occurred.” However, the complaint alleges that it kept on using the older, less secure software.
The complaint alleges that Banco Popular’s (or its vendor’s) “continued use of Accellion FTA, despite the availability of a superior and more secure alternative, resulted in criminals exfiltrating the Social Security numbers and other PII” that Banco Popular held on its customers.
Article Type: LawsuitTopic: Privacy
Most Recent Case Event
Banco Popular Vendor Used “Legacy” Software, Exposing PII Complaint
May 12, 2022
It seems that personally identifiable information (PII) can now get exposed not just through a company that does not take adequate care of it, but also through its vendors, and even its vendors’ vendors. This class action concerns a data breach that exposed the information of customers of Banco Popular de Puerto Rico, which occurred through one of its vendors, via a vulnerability in a legacy file-sharing software product from Accellion called Accellion FTA.
Banco Popular Vendor Used “Legacy” Software, Exposing PII ComplaintCase Event History
Banco Popular Vendor Used “Legacy” Software, Exposing PII Complaint
May 12, 2022
It seems that personally identifiable information (PII) can now get exposed not just through a company that does not take adequate care of it, but also through its vendors, and even its vendors’ vendors. This class action concerns a data breach that exposed the information of customers of Banco Popular de Puerto Rico, which occurred through one of its vendors, via a vulnerability in a legacy file-sharing software product from Accellion called Accellion FTA.
Banco Popular Vendor Used “Legacy” Software, Exposing PII Complaint