DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Accellion’s data breach left clients in tough position: pay extortion to criminals, or have their data dumped (with updates)

Posted on February 18, 2021 by Dissent

A breach involving Accellion‘s older file transfer application has left a number of its customers in the unenviable position of not only having a data breach to deal with, but with the added threat that their data and their clients’ data will be dumped by threat actors if they do not pay extortion demands. At least some of them have decided not to give in to extortion demands.

The Accellion breach was first revealed by the California cloud solutions firm in January, who described it as a 0day. At the time, Accellion reported that a vulnerability had been detected in mid-December and patched within 72 hours, and that the situation impacted maybe 50 clients. All impacted clients were notified on December 23, the firm claimed.

In early February, however, Accellion updated their statement to acknowledge that they had subsequently discovered other vulnerabilities as persistent  attackers kept attacking them into January.

As Accellion’s impacted clients started coming forward, they told  a slightly different story about when Accellion first notified them. The University of Colorado, state of Washington, ASIC, Goodwin Procter law firm, SingTel, and the Royal Bank of New Zealand were reportedly all impacted.

And then things took an even darker turn.

On February 13, DataBreaches.net broke the story that Jones Day law firm had been attacked and their data was being dumped on the dark web by CLOP threat actors, who claimed that the law firm had not responded to ransom demands.

Although they never did respond to this site’s inquiries, Jones Day subsequently informed WSJ that they had been informed about the Accellion breach. They insisted that there was no breach of their system, and that the breach was the vendor’s. CLOP responded that it was Jones Day it had attacked, not Accellion.  From this site’s investigation, it seemed that Accellion’s standalone system may have been attacked. Logs that were dumped showed that JonesDay had been using a version of Accellion’s FTA that was vulnerable.

With one Accellion client facing an extortion attempt, could the others be far behind? It turns out they weren’t.

By last night, this site could find data dumps by CLOP threat actors for a number of Accellion clients in addition to Jones Day. Not all of the following have issued statements or press releases confirming that their data had been stolen:

  • SingTel  had previously reported that the breach impacted 129,000 people, and a number of their clients and employees. They  received a ransom demand.
  • Jones Day
  • Fugro 
  • American Bureau of Shipping (Eagle.org)
  • Danaher.com
  • Bombardier (confirmed 2/23/2021)
  • Transport for New South Wales (added 2/23/3021; data dump March 22)
  • Qualys (added 3/3/2021)
  • CSX (added to this post March 7; see also this notice)
  • Flagstar (added to this post March 8)
  • NOW Foods (part of Kroger); added to this post March 16
  • University of Colorado (added to leak site March 22)
  • University of Miami (added to leak site March 22)
  • Stanford University (“MedSecureSend) (added to leak site March 29)
  • University of Maryland, Baltimore (added to leak site March 29)
  • Yeshiva University (added to leak site March 29)
  • UniversityofCalifornia.edu (added to leak site March 29)
  • Shell (added to this post March 22)

Other known victims have not (yet?) shown up on the dark web leak site. There has been some media coverage or statements by these entities, but so far, there has been no report that they received ransom demands and as of this morning, they do not appear on CLOP’s leak site.

  • Royal Bank of New Zealand
  • Allens law firm in Australia
  • Goodwin Procter law firm (see also this notification)
  • The Australian Securities and Investments Commission (ASIC)
  • Washington State
  • QIMR Berghofer
  • Kroger Health Services and Money Services  (added to this post  2/19/2021)
  • Nova Scotia Health Employees’ Pension Plan (added to this post  March 7)
  • Trillium Community Health Plan (added to this post March 7)
  • Harvard Business School
  • Arizona Complete Health (added to this post March 17)
  • Health Net (a Centene subsidiary) (added to this post March 18) — CalViva added to this post March 28
  • UC Merced (added March 30)
  • UC Davis (added to this post April 1)
  • UC Berkeley (added April 3)
  • Trinity Health (added April 5)
  • Memorial Sloan Kettering (added April 6)
  • Health Net (added April 6)
  • Health Net of California (added April 6)
  • Health Net Life Insurance Company (added April 6)
  • Health Net Community Solutions (added April 6)
  • California Health & Wellness (added April 6)
  • Southern Illinois University School of Medicine (added to this post March 4; added to CLOP’s site on April 13)
  • Toronto, Canada (added to this post April 30)

Accellion claimed to have a number of big law firms as clients. DataBreaches.net is not listing them, but we continue to monitor news for statements about this incident.

This post will be updated as conditions change. There are other companies listed on CLOP’s leak site, but it is not known if they are connected to this incident or unrelated incidents.

In this case, victims’ files do not appear to have been encrypted, and this appears to be a reversion to the older model of hacking, exfiltrating a copy of data, and then attempting to extort the victim so that data are not dumped or sold.

Accellion has not updated its original statement in terms of the number of its clients impacted. It is not known if there are still 50 clients, or if the number is significantly more after attacks in January. In any event, this turns out to be a very large and significant breach.  And if so many entities are showing up on CLOP’s leak site, does that mean that more and more victims are refusing to pay extortion? If so, that could indicate a positive development.

Category: Business SectorOf NoteSubcontractorU.S.

Post navigation

← Unsecured: Jamaica’s immigration website exposed thousands of travelers’ data
TR: Hacker attack on Kayseri OSB! →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Nigerian National Sentenced To More Than Five Years For Hacking, Fraud, And Identity Theft Scheme
  • Data breach of patient info ends in firing of Miami hospital employee
  • Texas DOT investigates breach of crash report records, sends notification letters
  • PowerSchool hacker pleads guilty, released on personal recognizance bond
  • Rewards for Justice offers $10M reward for info on RedLine developer or RedLine’s use by foreign governments
  • New evidence links long-running hacking group to Indian government
  • Zaporizhzhia Cyber ​​Police Exposes Hacker Who Caused Millions in Losses to Victims by Mining Cryptocurrency
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Google: Hackers target Salesforce accounts in data extortion attacks
  • The US Grid Attack Looming on the Horizon

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • California county accused of using drones to spy on residents
  • How the FBI Sought a Warrant to Search Instagram of Columbia Student Protesters
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Malaysia enacts data sharing rules for public sector
  • U.S. Enacts Take It Down Act
  • 23andMe Bankruptcy Judge Ponders Trump Bill’s Injunction Impact
  • Hell No: The ODNI Wants to Make it Easier for the Government to Buy Your Data Without Warrant

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.