On March 3, a purported data breach victim, acting on behalf of a proposed settlement class, and a Nebraska family-owned bank filed an unopposed motion in the U.S. District Court for the District of Massachusetts seeking preliminary approval of a $2.4 million class action settlement resolving claims over a data breach tied to the exploitation of a file transfer software vulnerability. The proposed agreement would end litigation brought on behalf of more than 200,000 individuals whose personal information was allegedly compromised during a May 2023 cybersecurity breach. Under the deal, the settlement fund would cover notice and administrative costs, any court-approved service award, and attorneys’ fees, and provide class members with two years of credit monitoring and identity theft protection and either reimbursement for certain losses or an alternative $100 cash payment.

The case stems from an incident in which cybercriminals allegedly exploited an “unauthenticated SQL vulnerability” in the file transfer software to gain unauthorized access to stored files. The settlement class representative alleged that the financial institution failed to implement reasonable data security measures to protect sensitive information, while the institution denied wrongdoing and argued the breach was attributable to the software’s developer. The parties contended that the proposed settlement is fair, reasonable and adequate given the risks, costs and uncertainty of continued litigation, which included challenges to standing, complex causation issues, and potential defenses to class certification. The settlement does not release claims against the file transfer software developer.