DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Accellion’s data breach left clients in tough position: pay extortion to criminals, or have their data dumped (with updates)

Posted on February 18, 2021 by Dissent

A breach involving Accellion‘s older file transfer application has left a number of its customers in the unenviable position of not only having a data breach to deal with, but with the added threat that their data and their clients’ data will be dumped by threat actors if they do not pay extortion demands. At least some of them have decided not to give in to extortion demands.

The Accellion breach was first revealed by the California cloud solutions firm in January, who described it as a 0day. At the time, Accellion reported that a vulnerability had been detected in mid-December and patched within 72 hours, and that the situation impacted maybe 50 clients. All impacted clients were notified on December 23, the firm claimed.

In early February, however, Accellion updated their statement to acknowledge that they had subsequently discovered other vulnerabilities as persistent  attackers kept attacking them into January.

As Accellion’s impacted clients started coming forward, they told  a slightly different story about when Accellion first notified them. The University of Colorado, state of Washington, ASIC, Goodwin Procter law firm, SingTel, and the Royal Bank of New Zealand were reportedly all impacted.

And then things took an even darker turn.

On February 13, DataBreaches.net broke the story that Jones Day law firm had been attacked and their data was being dumped on the dark web by CLOP threat actors, who claimed that the law firm had not responded to ransom demands.

Although they never did respond to this site’s inquiries, Jones Day subsequently informed WSJ that they had been informed about the Accellion breach. They insisted that there was no breach of their system, and that the breach was the vendor’s. CLOP responded that it was Jones Day it had attacked, not Accellion.  From this site’s investigation, it seemed that Accellion’s standalone system may have been attacked. Logs that were dumped showed that JonesDay had been using a version of Accellion’s FTA that was vulnerable.

With one Accellion client facing an extortion attempt, could the others be far behind? It turns out they weren’t.

By last night, this site could find data dumps by CLOP threat actors for a number of Accellion clients in addition to Jones Day. Not all of the following have issued statements or press releases confirming that their data had been stolen:

  • SingTel  had previously reported that the breach impacted 129,000 people, and a number of their clients and employees. They  received a ransom demand.
  • Jones Day
  • Fugro 
  • American Bureau of Shipping (Eagle.org)
  • Danaher.com
  • Bombardier (confirmed 2/23/2021)
  • Transport for New South Wales (added 2/23/3021; data dump March 22)
  • Qualys (added 3/3/2021)
  • CSX (added to this post March 7; see also this notice)
  • Flagstar (added to this post March 8)
  • NOW Foods (part of Kroger); added to this post March 16
  • University of Colorado (added to leak site March 22)
  • University of Miami (added to leak site March 22)
  • Stanford University (“MedSecureSend) (added to leak site March 29)
  • University of Maryland, Baltimore (added to leak site March 29)
  • Yeshiva University (added to leak site March 29)
  • UniversityofCalifornia.edu (added to leak site March 29)
  • Shell (added to this post March 22)

Other known victims have not (yet?) shown up on the dark web leak site. There has been some media coverage or statements by these entities, but so far, there has been no report that they received ransom demands and as of this morning, they do not appear on CLOP’s leak site.

  • Royal Bank of New Zealand
  • Allens law firm in Australia
  • Goodwin Procter law firm (see also this notification)
  • The Australian Securities and Investments Commission (ASIC)
  • Washington State
  • QIMR Berghofer
  • Kroger Health Services and Money Services  (added to this post  2/19/2021)
  • Nova Scotia Health Employees’ Pension Plan (added to this post  March 7)
  • Trillium Community Health Plan (added to this post March 7)
  • Harvard Business School
  • Arizona Complete Health (added to this post March 17)
  • Health Net (a Centene subsidiary) (added to this post March 18) — CalViva added to this post March 28
  • UC Merced (added March 30)
  • UC Davis (added to this post April 1)
  • UC Berkeley (added April 3)
  • Trinity Health (added April 5)
  • Memorial Sloan Kettering (added April 6)
  • Health Net (added April 6)
  • Health Net of California (added April 6)
  • Health Net Life Insurance Company (added April 6)
  • Health Net Community Solutions (added April 6)
  • California Health & Wellness (added April 6)
  • Southern Illinois University School of Medicine (added to this post March 4; added to CLOP’s site on April 13)
  • Toronto, Canada (added to this post April 30)

Accellion claimed to have a number of big law firms as clients. DataBreaches.net is not listing them, but we continue to monitor news for statements about this incident.

This post will be updated as conditions change. There are other companies listed on CLOP’s leak site, but it is not known if they are connected to this incident or unrelated incidents.

In this case, victims’ files do not appear to have been encrypted, and this appears to be a reversion to the older model of hacking, exfiltrating a copy of data, and then attempting to extort the victim so that data are not dumped or sold.

Accellion has not updated its original statement in terms of the number of its clients impacted. It is not known if there are still 50 clients, or if the number is significantly more after attacks in January. In any event, this turns out to be a very large and significant breach.  And if so many entities are showing up on CLOP’s leak site, does that mean that more and more victims are refusing to pay extortion? If so, that could indicate a positive development.

Related posts:

  • Jones Day disputes claimed breach; points to hacked vendor; hacker points back to them (UPDATE2)
  • TeamGhostShell posts “master list” of 548 leaks (so far)
  • Threat actors leak files with protected health information from U. Miami
  • The Jones Day dump contains prescription drug records. Who’s notifying those patients of the breach?
Category: Business SectorOf NoteSubcontractorU.S.

Post navigation

← Unsecured: Jamaica’s immigration website exposed thousands of travelers’ data
TR: Hacker attack on Kayseri OSB! →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Alert: Scattered Spider has added North American airline and transportation organizations to their target list
  • Northern Light Health patients affected by security incident at Compumedics; 10 healthcare entities affected
  • Privacy commissioner reviewing reported Ontario Health atHome data breach
  • CMS warns Medicare providers of fraud scheme
  • Ex-student charged with wave of cyber attacks on Sydney uni
  • Detaining Hackers Before the Crime? Tamil Nadu’s Supreme Court Approves Preventive Custody for Cyber Offenders
  • Potential Cyberattack Scrambles Columbia University Computer Systems
  • 222,000 customer records allegedly from Manhattan Parking Group leaked
  • Breaches have consequences (sometimes) (1)
  • Kansas City Man Pleads Guilty for Hacking a Non-Profit

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Germany Wants Apple, Google to Remove DeepSeek From Their App Stores
  • Supreme Court upholds Texas law requiring age verification on porn sites
  • Justices nix Medicaid ‘right’ to choose doctor, defunding Planned Parenthood in South Carolina
  • European Commission publishes its plan to enable more effective law enforcement access to data
  • Sacred Secrets: The Biblical Case for Privacy and Data Protection
  • Microsoft’s Departing Privacy Chief Calls for Regulator Outreach
  • Nestle USA Settles Suit Over Job-Application Medical Questions

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.