American Bank Systems Hit with Class Action Over Fall 2020 Data Breach [UPDATE]

New to ClassAction.org? Read our Newswire Disclaimer

American Bank Systems, Inc. faces a proposed class action over a data breach in which unauthorized parties reportedly stole over 50 gigabytes of data that included consumers’ personal and financial information.

According to the lawsuit, the breach can be chalked up to American Bank Systems’ failure to implement “basic security procedures,” which left consumers’ private information vulnerable to hackers. Per the case, those affected by the breach now face a substantial risk of identity theft and fraud “both currently and for the indefinite future.”

American Bank Systems (ABS), the suit explains, is a third-party vendor that provides compliance and document management services to over 350 banks and financial institutions in 35 states. As a result, ABS maintains credentialing information for financial institutions and possesses files containing the personal and financial information of the banks’ customers, the case relays.

According to the suit, ABS was the target of a ransomware attack in which the company’s systems were hacked and over 50 GB of data was stolen. Ransomware attacks, the case explains, typically involve a hacker gaining access to a victim’s systems through a “Trojan” email and introducing malware that uses encryption methods to block the victim from using or accessing the targeted data until a ransom is paid. Per the lawsuit, ABS was targeted by a new variant of ransomware called Avaddon.

In November 2020, the case relays, the group purporting to be behind the Avaddon malware attacks published a “leak warning” in which they claimed to have stolen over 50 GB of ABS’s data and demanded a ransom in exchange for its release, threatening to publicly disclose the sensitive data if the ransom was not paid. According to the suit, the stolen data included customers’ names, dates of birth, phone numbers, addresses, bank account and loan information, and Social Security numbers.

Analysis by one news outlet notes that much of the data appeared to have been stored by ABS in plaintext files, meaning anyone with access to the files could read them, the suit states. The article estimated that the breach initially began “sometime in or before early October.”

According to the case, the full 52.57 GB of data was leaked by November 14, 2020 after ABS apparently refused to pay the ransom.

The lawsuit states that several of ABS’s banking customers, including Pennsylvania-based NexTier Bank, notified customers that their personal information stored on ABS’s systems was compromised. Per the case, NexTier was not notified of the breach until November 18, which was “at least several weeks after the incident began” and more than two weeks after the incident had been publicly reported.

The case argues that ABS knew or should have known the importance of safeguarding consumers’ personal and financial information yet failed to follow recommended cybersecurity guidelines that could have prevented the breach from occurring. From the complaint:

“Had ABS remedied the deficiencies in its information storage and security systems, followed industry guidelines, and adopted security measures recommended by experts in the field, ABS could have prevented intrusion into its information storage and security systems and, ultimately, the theft of Plaintiff’s and Class Members’ confidential [personally identifiable information].”

Per the suit, those affected by the ABS breach face “long lasting and severe” damages, including a heightened risk of identity theft and fraud that will likely extend into the foreseeable future.

The lawsuit looks to cover anyone in the U.S. whose personally identifiable information was compromised in the American Bank Systems data breach that occurred between October and November 2020.

Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s newsletter here.