News

American Bank Systems slapped with class-action lawsuit for not timely disclosing ransomware data breach

This year, American Bank Systems (ABS) was hit with a ransomware attack as reported by Security Report, which the company failed to disclose to its customers in time.

As a part of this data breach, a full 53 GB dump of the data pertaining to ABS and its clients —which include multiple banking names and mortgage companies, such as First Federal Community Bank, Rio BankCitizens Bank of Swainsboro, First Bank & Trust, and so on, was leaked by the threat actors after several attempts to extort a ransom payment.

This data included the banking customers’ personally identifiable information (PII) such as loan records, SSNs, documents, emails, contracts, network shares, and passwords to sensitive drives.

A Law360 news report published yesterday states ABS has now been slapped with a class-action lawsuit due to its failure to protect their customers’ information, and for keeping them in the dark for weeks after the initial ransomware attack.

“As a result of ABS’s failure to implement and follow basic security procedures, plaintiff’s and class members’ PII is now in the hands of criminals,” read the complaint, filed Wednesday in a Pennsylvania federal court.

“Plaintiff and class members face a substantial increased risk of identity theft, both currently and for the indefinite future. Consequently, plaintiff and class members have had to spend, and will continue to spend, significant time and money in the future to protect themselves due to ABS’s failures.”

As far as the timeline is concerned, Security Report analyzed the timestamps on the leaked files and deduced the cyber attack had struck American Bank Systems sometime in or before early October.

It wasn’t until November 18th, however, nearly 4 days after our report, that the company began disclosing to its customers the details of the data breach. ABS had also not responded to our request for comment.

“According to NexTier Bank, it was not notified by ABS of the data breach until November 18, 2020, which was at least several weeks after the incident began, and more than two weeks after the data breach was first publicly reported,” the complaint further reads.

The class-action lawsuit is brought forward by plaintiff Mitchell Lautman, a citizen and resident of the Commonwealth of Pennsylvania, and a customer of NexTier whose PII was exposed as a result of this data breach.

By not sufficiently protecting sensitive data the lawsuit alleges ABS was in breach of Federal Trade Commission (FTC) rules and put customers at the risk of identity theft for years to come.

“ABS, a company that promotes its trustworthiness, has a responsibility to securely maintain the customer PII that it receives and keep it safe from harm. ABS was on notice that PII, specifically when it includes financial information, is a prime target for data breaches,” states the 26-page court filing.

While more details pertaining to this case are yet to come, this is a reminder to companies and financial institutions to prioritize data security, and to not delay in disclosing crucial matters to their customers, such as a data breach.

A copy of the complaint is provided below for reference:

Ax Sharma

Ax Sharma is an Indian-origin British security researcher, journalist and TV subject matter expert with a focus on malware analysis and cybercrime investigations. His areas of interest include open source software security, threat intel analysis, and reverse engineering. Frequently featured by leading media outlets like the BBC, Channel 5, Fortune, WIRED, The Register, among others, Ax is an active community member of the OWASP Foundation and the British Association of Journalists (BAJ).

Recent Posts

Sea Turtle Cyber Espionage Campaign Targets Telecommunication and IT Companies in the Netherlands

Telecommunication, media, internet service providers (ISPs), information technology (IT)-service providers, and Kurdish websites in the…

12 months ago

Rogue WordPress plugin: Threat hunters uncover credit card skimming campaign targeting e-commerce sites

Rogue WordPress Plugin Found to Steal Credit Card Information in Magecart Campaign Threat hunters have…

12 months ago

Albanian Parliament and telco ‘One Albania’ suffer cyber attacks

The Assembly of the Republic of Albania and telecom company One Albania have recently fallen…

12 months ago

Carbanak Banking Malware Resurfaces with Updated Tactics in Ransomware Attacks

The banking malware Carbanak has resurfaced with updated tactics, incorporating attack vendors and techniques to…

12 months ago

Theme park giant Parques Reunidos hit by a ransomware cyber attack

One of the world's largest theme park operators, Parques Reunidos has disclosed a cybersecurity incident.…

2 years ago

Phishing kit screenshots your email domain on the fly to appear real

Phishing kit used by multiple hacked sites generates a log in page on the fly…

2 years ago

This website uses cookies.