American Bank Systems slapped with class-action lawsuit for not timely disclosing ransomware data breach

This year, American Bank Systems (ABS) was hit with a ransomware attack as reported by Security Report, which the company failed to disclose to its customers in time.

As a part of this data breach, a full 53 GB dump of the data pertaining to ABS and its clients —which include multiple banking names and mortgage companies, such as First Federal Community Bank, Rio Bank, Citizens Bank of Swainsboro, First Bank & Trust, and so on, was leaked by the threat actors after several attempts to extort a ransom payment.

This data included the banking customers’ personally identifiable information (PII) such as loan records, SSNs, documents, emails, contracts, network shares, and passwords to sensitive drives.

A Law360 news report published yesterday states ABS has now been slapped with a class-action lawsuit due to its failure to protect their customers’ information, and for keeping them in the dark for weeks after the initial ransomware attack.

“As a result of ABS’s failure to implement and follow basic security procedures, plaintiff’s and class members’ PII is now in the hands of criminals,” read the complaint, filed Wednesday in a Pennsylvania federal court.

“Plaintiff and class members face a substantial increased risk of identity theft, both currently and for the indefinite future. Consequently, plaintiff and class members have had to spend, and will continue to spend, significant time and money in the future to protect themselves due to ABS’s failures.”

As far as the timeline is concerned, Security Report analyzed the timestamps on the leaked files and deduced the cyber attack had struck American Bank Systems sometime in or before early October.

It wasn’t until November 18th, however, nearly 4 days after our report, that the company began disclosing to its customers the details of the data breach. ABS had also not responded to our request for comment.

“According to NexTier Bank, it was not notified by ABS of the data breach until November 18, 2020, which was at least several weeks after the incident began, and more than two weeks after the data breach was first publicly reported,” the complaint further reads.

The class-action lawsuit is brought forward by plaintiff Mitchell Lautman, a citizen and resident of the Commonwealth of Pennsylvania, and a customer of NexTier whose PII was exposed as a result of this data breach.

By not sufficiently protecting sensitive data the lawsuit alleges ABS was in breach of Federal Trade Commission (FTC) rules and put customers at the risk of identity theft for years to come.

“ABS, a company that promotes its trustworthiness, has a responsibility to securely maintain the customer PII that it receives and keep it safe from harm. ABS was on notice that PII, specifically when it includes financial information, is a prime target for data breaches,” states the 26-page court filing.

While more details pertaining to this case are yet to come, this is a reminder to companies and financial institutions to prioritize data security, and to not delay in disclosing crucial matters to their customers, such as a data breach.

A copy of the complaint is provided below for reference: