Kroger, British Airways Agree to Settle Data Breach LawsuitsClass Actions Filed Against Each Company After Hacking Incidents
U.S.-based pharmacy and supermarket chain Kroger and U.K.-based British Airways have each agreed to settle class action lawsuits filed in the wake of two massive data breaches.
Under a proposed settlement filed recently in a California federal court, Kroger agrees to pay $5 million to resolve claims in several class action lawsuits filed in the wake of a data breach affecting more than 3.8 million employees and customers that involved its file transfer service vendor, Accellion.
Meanwhile, British Airways has agreed to undisclosed terms to settle a class action lawsuit filed in the wake of a 2018 data breach that led to the compromise of private information on 420,000 customers and employees.
Kroger's Proposed Settlement
The lawsuits against Kroger were filed in the wake of the hacking incident involving the exploit of zero-day flaws in Accellion's legacy File Transfer Appliance software.
Such exploits apparently affected dozens of other Accellion clients in healthcare and many other sectors.
Court documents note that the proposed Kroger settlement would only potentially resolve claims against Kroger - not Accellion - in several class action lawsuits filed earlier this year against both companies.
Under the proposed Kroger deal, claimants may elect to receive a choice of a cash payment calculated in accordance with specific terms of the settlement agreement, two years of credit monitoring and insurance services or reimbursement of documented losses of up to $5,000.
Kroger also has agreed to enhance its third-party vendor risk management program, court documents note.
The Kroger settlement documents note: "Accellion provided notice to its clients, like Kroger, that a newer and more secure Accellion file transfer product called Kiteworks was available, and that clients should migrate to this product. … Plaintiffs allege that Kroger did not promptly do so."
The lawsuits filed against Accellion allege that the company did not adequately address security shortcomings in its legacy Kiteworks FTA product.
In mid-December, Accellion patched a SQL injection vulnerability in FTA and privately notified its customers. But that was just the first in a series of vulnerabilities that subsequently were found and patched, according to FireEye's Mandiant forensics unit, which was retained by Accellion.
Some Accellion customers report subsequently receiving emails from a criminal group called Clop asking for a ransom in exchange for not publishing data online.
Kroger's settlement documents note that the retailer learned of the FTA data breach on Jan. 23, and on Feb. 2 it received a ransom demand in exchange for a commitment not to disseminate Kroger’s data. "Kroger informed the FBI and paid the ransom on Feb. 18," the settlement documents note.
"The extortion entity returned the data the next day, along with a video purporting to show the deletion of Kroger’s files," the documents state. "While nothing stops the extortion entity on reneging on its commitments, Kroger reports that it continually has monitored the dark web to make certain that the data was not retained or disseminated."
Kroger did not immediately respond to an Information Security Media Group request for comment on the proposed settlement.
No Sure Bet
Privacy and security attorney Paul Hales, of the Hales Law Group, who is not involved in either the Kroger or British Airways case, says he has strong doubts that the proposed settlement in the Kroger lawsuit will be approved by the court.
"The Kroger case has not yet been certified as a class action. … Additionally, to have Article III standing to sue in federal court, plaintiffs must demonstrate, among other things, that they suffered a concrete harm, he says.
"In this case, which is at an early stage, the plaintiffs have not submitted evidence of ‘concrete harm’ nor has Kroger had the opportunity to challenge that claim. More is needed to support approval of the settlement as a matter of law than arguing it would be a good deal for the parties."
British Airways Settles Suit
Meanwhile, British Airways and the U.K. law firm PGMBM recently settled a class action lawsuit for an undisclosed amount of money stemming from the 2018 data breach.
The case was filed in a U.K. court in April 2020 under the European Union's General Data Protection Regulation.
"We apologized to customers who may have been affected by this issue and are pleased we've been able to settle the group action. When the issue arose, we acted promptly to protect and inform our customers," British Airways tells Information Security Media Group.
PGMBM notes in a statement that the resolution includes the provision for compensation for qualifying claimants who were part of the litigation but does not include any admission of liability by British Airways.
British Airways revealed the data breach on Sept. 7, 2018, noting the malicious actor used a Magecart-style attack to gain entry and then obtained names, addresses, payment card numbers and CVVs. Usernames and passwords of employee and administrator accounts were also exposed, as were usernames and PINs of up to 612 BA Executive Club accounts.
The U.K.'s Information Commissioner's Office initially said it would fine British Airways $238 million for the breach under GDPR, but when the ICO issued the final penalty in October 2020, the amount was reduced to $26 million. The ICO cited the economic impact of COVID-19 on the travel industry as the primary reason for the reduction.
"The Information Commissioner's Office laid out how BA did not take adequate measures to keep its passengers' personal and financial information secure," says Harris Pogust, PGMBM chairman. "However, this did not provide redress to those affected. This settlement now addresses that."
Addressing the current cyberthreat crisis "is complicated," says attorney Ron Raether, a partner at the law firm Troutman Pepper, who is not involved in the British Airways or Kroger case.
"Regulators have struggled with whether a carrot or stick will address these issues. The EU - and in part the U.K. - avoided using the stick," he says. With the British Airway incident - as well as a massive breach involving Marriott - "the ICO appears to be changing course," he says.
"However, as in the U.S., the ICO will find that the stick approach will not move the needle. Instead, regulators and companies need to join together to fight this common enemy."
Privacy attorney Iliana Peters of the law firm Polsinelli says class action settlements involving breaches stemming from vendor incidents offer important reminders.
"Information technology and other supply chain vendors of all types are a target for cyberthreat actors, because of all of the important data they hold for entities of all types," she says. "As such, entities should take the time to scrutinize their vendor relationships and agreements pertaining to those relationships, to ensure that those relationships are well-defined, not only with regard to the services provided, but also with regard to data rights and indemnification in the case of a security incident or data breach."