The Accellion File Transfer Data Breach Class Action represents one of the largest coordinated cyberattacks on enterprise file transfer systems, resulting in a federal court settlement of $8.1 million to compensate approximately 9.2 million individuals whose personal information was stolen. Between December 2020 and January 2021, hackers exploited multiple zero-day vulnerabilities in Accellion’s legacy File Transfer Appliance software to infiltrate over 100 organizations, including major health insurers like Health Net and Centene, universities, and government agencies, creating one of the most significant data breaches of the past five years. If you received notification that your personal information was compromised in the Accellion breach, you may be eligible to claim compensation through the settlement process, either by receiving two years of free credit monitoring or by submitting documentation of financial losses for reimbursement up to $10,000, or accepting a cash payment estimated between $15 and $50 per person depending on the final claims pool.
Table of Contents
- How Did Hackers Attack Accellion’s Systems?
- Who Was Affected by the Accellion Data Breach and What Information Was Stolen?
- What Did the Federal Court Settlement Accomplish?
- What Compensation Can Class Members Receive?
- What Requirements Did Accellion Agree to Follow Going Forward?
- What Other Settlements Arose From the Accellion Breach?
- What Does This Breach Reveal About Vulnerabilities in Enterprise File Transfer Systems?
- Conclusion
How Did Hackers Attack Accellion’s Systems?
The attack on Accellion’s File Transfer Appliance began in mid-December 2020 when sophisticated threat actors discovered and exploited previously unknown zero-day vulnerabilities in the legacy software system. Rather than a single breach, this was a sustained campaign that continued through January 2021, with attackers methodically installing web shells on compromised systems and exfiltrating sensitive data from customer networks.
The attackers’ ability to find and exploit multiple unpatched vulnerabilities before Accellion could release fixes gave them weeks of unfettered access to victim organizations’ most confidential information. What made this attack particularly damaging was its scope—over 100 organizations fell victim, meaning the attackers weren’t targeting a single company but rather using Accellion’s widely-deployed file transfer system as a gateway into dozens of separate networks simultaneously. Health insurers, universities, and government agencies all discovered their data had been stolen by the same coordinated group of threat actors, each facing their own notification obligations and liability exposure.
Who Was Affected by the Accellion Data Breach and What Information Was Stolen?
The breach affected approximately 9.2 million individuals across all litigation cases, with specific healthcare organizations bearing the heaviest impact. Health Net, one of California’s major health insurers, disclosed that 1.2 million of its members had personal information exposed, while Centene subsidiaries reported that over 1.3 million patients were affected. Beyond the healthcare sector, the breach touched universities, financial services firms, and government agencies that relied on Accellion’s file transfer system for exchanging sensitive documents.
The types of data exfiltrated included personally identifiable information, health insurance details, financial records, and in some cases Social Security numbers and medical information—the kind of sensitive data that puts victims at high risk for identity theft and fraud. This is a critical limitation of the settlement: even though class members are offered two years of credit monitoring and fraud insurance, that protection window eventually expires, and the data stolen in 2020 and 2021 remains vulnerable to future misuse. Some victims have experienced identity theft claims years after the breach notification, revealing that perpetrators often sit on stolen data for extended periods before attempting to monetize it.
What Did the Federal Court Settlement Accomplish?
In October 2025, more than four years after the initial attack, a federal court certified five customer-specific subclasses in the litigation, allowing certain groups of victims to proceed with claims for nominal damages under “disclosure of private information” theories. However, the court notably declined to certify a broader negligence class action covering approximately 5 million of the breach victims, finding insufficient commonality among such a large and disparate group.
The resulting settlement established an $8.1 million fund, with $4.6 million placed into escrow within ten business days of the settlement’s execution and the remaining $3.5 million due within ten business days after preliminary court approval. This settlement structure—where substantial funds are held in reserve before final approval—is a standard protective mechanism, though it meant that some class members had to wait many months beyond the initial settlement announcement before compensation actually became available. The settlement’s relatively modest size relative to the millions affected reflects the difficulty of proving direct financial damages from a data breach, where harm is often measured in credit monitoring costs or identity theft claims rather than documented out-of-pocket losses.
What Compensation Can Class Members Receive?
The settlement offers class members two distinct compensation pathways. The first option provides two years of three-bureau credit monitoring and identity theft insurance services—a practical but limited benefit that covers only monitoring costs and fraud liability insurance. The second option allows affected individuals to claim either documented financial losses up to $10,000 or accept an estimated cash payment ranging from $15 to $50 per person, depending on the total number of valid claims submitted.
The choice between these options involves a tradeoff worth considering carefully. Credit monitoring is more valuable if you plan to actively monitor your credit report and address any fraudulent activity that appears, but it provides no cash compensation and expires after two years. Documented loss reimbursement can be substantial—up to $10,000—but requires proof that you incurred specific expenses as a direct result of the breach, such as credit monitoring fees you paid before the settlement was reached, identity theft recovery costs, or fraudulent charges on your accounts. The estimated cash payment path offers certainty and simplicity but typically returns less money than either of the other two options, making it most suitable for victims who experienced minimal documented damages and prefer quick compensation without the burden of collecting receipts and documentation.
What Requirements Did Accellion Agree to Follow Going Forward?
As part of the settlement, Accellion agreed to several injunctive relief requirements aimed at preventing similar breaches in the future. Most significantly, Accellion committed to fully retiring its vulnerable File Transfer Appliance product entirely, meaning organizations using FTA systems will no longer receive updates or support—a critical limitation for any customer who hadn’t already migrated to Accellion’s newer Kiteworks platform.
Additionally, Accellion agreed to maintain FedRAMP certification for its Kiteworks offering (a security credential required for government contracts), significantly expand its bug bounty program to incentivize external security researchers to identify vulnerabilities, provide annual cybersecurity training to all employees, employ personnel with formal cybersecurity responsibilities, and publicly confirm its compliance with these requirements periodically on its website. However, a significant caveat applies: Accellion has accepted no liability for the breach and has denied all allegations throughout the litigation, meaning the company maintained its legal position that it bears no responsibility even while agreeing to these operational changes. For victims seeking accountability or admission of fault, the settlement provides neither—it resolves only the financial claims while leaving Accellion’s legal denials intact.
What Other Settlements Arose From the Accellion Breach?
Beyond the primary $8.1 million Accellion settlement, related litigation produced additional recovery for affected parties. The University of California’s breach settlement (Erazo v. UC Regents) reached $5.8 million on May 29, 2025, compensating 353,265 class members whose information was exposed when UC systems were compromised through Accellion.
This separate settlement emerged because UC faced its own negligence liability for failing to promptly detect and respond to the breach, creating a different legal theory than the one against Accellion itself. Centene Corporation, one of the nation’s largest health insurance companies whose subsidiaries were heavily impacted by the breach, separately agreed to pay $10 million to resolve a lawsuit focused not on the initial breach itself but on Centene’s handling of its response and notifications to affected patients. These related settlements demonstrate how a single data breach can generate multiple rounds of litigation and compensation, with different organizations bearing liability for different aspects of the incident—Accellion for exploitable vulnerabilities, UC for detection failures, and Centene for inadequate response measures.
What Does This Breach Reveal About Vulnerabilities in Enterprise File Transfer Systems?
The Accellion breach exposed a persistent vulnerability in how organizations approach legacy software systems: many companies continue using older, unpatched software platforms long after newer alternatives are available because migrating thousands of users to new systems is expensive and disruptive. Accellion’s File Transfer Appliance was first released in the mid-2000s and became deeply embedded in enterprise and government workflows, creating institutional inertia that kept organizations running vulnerable code even as technology evolved.
The fact that the breach exploited zero-day flaws—previously unknown vulnerabilities—also underscores that no amount of patching can provide complete security; organizations face inherent risk using any software system, and the only true mitigation is either moving to alternative platforms or accepting the risks explicitly. Looking forward, the settlement and related enforcement actions send a signal that companies maintaining legacy systems face potential liability not just for the security vulnerabilities themselves but for failure to maintain the systems adequately or retire them on reasonable timelines. This case may accelerate the deprecation of older enterprise software platforms, as the legal and financial exposure of continuing to support vulnerable legacy systems becomes increasingly apparent.
Conclusion
The Accellion File Transfer Data Breach Class Action settlement provides $8.1 million in compensation to resolve claims affecting millions of individuals across healthcare, government, and education sectors, with class members eligible to receive either two years of credit monitoring, documented loss reimbursement up to $10,000, or estimated cash payments. The settlement also imposed injunctive requirements on Accellion to retire its vulnerable FTA product, expand security measures, and maintain industry certifications, though the company accepted no liability and denied all wrongdoing throughout the litigation.
If you received a breach notification regarding the Accellion incident, review the settlement notice carefully to understand your claim options, deadlines, and the documentation required for each compensation pathway. Class members typically have 180 days or more from the settlement’s preliminary approval to submit claims, but this deadline is absolute—missed deadlines generally result in forfeiture of compensation rights. Consult the official settlement website or contact the claims administrator if you need clarification on eligibility, required documentation, or the claim submission process, and consider whether credit monitoring, documented loss reimbursement, or cash compensation best suits your situation and the extent of losses you actually incurred.