No money changing hands in Chubb ransomware settlement

A settlement between a Chubb unit and a software company that was charged with failing to adequately inform a law firm of vulnerabilities in its electronic file sharing software, which led to a $2 million ransomware payment, has been settled with no money changing hands, according to the company.

Palo Alto, California-based Accellion had provided software services to an unidentified Boston law firm that was a policyholder of Chubb unit Ace American Insurance Co., according to court papers in Ace American Insurance Co. v. Accellion Inc.

In December 2020, Accellion became aware of software vulnerabilities and notified its customers, but allegedly sent the security fix to two persons who had left the firm several years earlier, even though the law firm had allegedly asked the company in 2017 to update its contact information, according to the complaint in the case. As a result, the law firm’s computer system was not updated, the complaint said. 

The same month, after the alert was issued, an unauthorized user gained access to the law firm’s files, which led to the law firm and/or Ace to pay more than $2 million in exchange for the hacker agreeing not to publish the exfiltrated files, to provide a list of all data taken and to destroy the data in its possession. The law firm also incurred $375,000 in expenses and attorneys fees, the complaint said.

Ace filed suit against Accellion in U.S. District Court in Oakland, California, in December 2021, seeking more than $2.4 million as well as interests and costs.

In a cross complaint filed in April, Accellion said that under the law firm’s end user license agreement, Accellion’s potential liability is limited to the fees paid by the customer in the previous 12 months, which in this case totaled $42,181.82. 

Accellion also said the law firm did not receive the vulnerability notification because it had opted out from receiving software update notifications. Accellion sought a declaratory judgement in the company’s favor.

The parties notified the court they had reached a settlement according to the court’s conditional dismissal, which was issued Wednesday. 

Accellion general counsel Camilo Artiga-Purcell said in a statement, “We are pleased to see that, after discovery and evaluation of the evidence, Ace American Insurance Company determined to dismiss its civil complaint with prejudice against Accellion, Inc.”

Accellion Inc. CEO Jonathan Yaron said in a statement, “Our team worked around the clock following the criminal hack to develop and release patches to resolve each (File Transfer Appliance) vulnerability and to provide unwavering support to customers affected by the incident.

“This is corroboration that the processes and efforts our team followed before, during, and after the breach demonstrated utmost prudence and care for all customers.”

Chubb’s attorneys did not respond to a request for comment.

Earlier this week, a federal district court ruled against a Chubb Corp. unit and held that a Portland, Oregon, beverages and sauces manufacturer is entitled to the more than $107,000 it reimbursed its president after he made a ransomware payment out of his personal cryptocurrency funds.