In December and January, threat actors successfully exploited multiple vulnerabilities in an older file transfer system by Accellion. A number of Accellion’s clients subsequently found themselves on the receiving end of extortion demands to either pay the threat actors, or have their data dumped publicly. A number of firms apparently refused to pay, and their files have been dumped on a dark web leak site known to many by now.
On Tuesday, the threat actors added the University of Miami to their leak site. As is their routine, they posted a few screencaps of files to increase pressure on their victim to pay up.
The files posted appeared to be from the university’s health system or hospital, so DataBreaches.net reached out to the university to ask about the incident. They have provided DataBreaches.net with the following statement:
The University of Miami is currently investigating a data security incident involving Accellion, a third-party provider of hosted file transfer services. We take data security seriously and data protection is a top priority. As soon as we became aware of the incident, we took immediate action to investigate and contain it. We also retained leading cybersecurity experts to assist with our investigation. We have reported the incident to law enforcement and are cooperating with their investigation. Based on our investigation to date, the incident was limited to the Accellion server used for secure file transfers and did not compromise other University of Miami systems or affect outside systems linked to the University of Miami’s network.
While we believe based on our investigation to date that the incident is limited to the Accellion server used for secure file transfers, we continue to enhance our cybersecurity program to further safeguard our systems from cyber threats. We continue to serve our University community consistent with our commitment to education, research, innovation, and service.
They also shared a communication that went out to the university community for further clarification:
We are currently investigating a data security incident involving Accellion, a third-party provider of hosted file transfer services. We take data security seriously and data protection is a top priority.
As soon as we became aware of the incident, we took immediate action to investigate and contain it. We retained leading cybersecurity experts to assist with our investigation. We have reported the incident to law enforcement and are cooperating with their investigation.
Accellion had been used by a small number of individuals at UM to transfer files too large for email. The University has since discontinued use of Accellion file transfer services.
Based on our investigation to date, the incident was limited to the Accellion server used for secure file transfers and did not compromise other University of Miami systems or affect outside systems linked to the University of Miami’s network. While we believe based on our investigation to date that the incident is limited to the Accellion server used for secure file transfers, we continue to enhance our cybersecurity program to further safeguard our systems from cyber threats.
As part of our ongoing cybersecurity practices, we remind you not to click on links or open attachments unless you know and trust the sender.
Our investigation into this incident is ongoing and we are continuing to analyze data files within the Accellion server used for secure file transfers and to identify individuals whose personal information was potentially affected. Once our investigation and data analysis are complete, we will notify affected individuals under applicable laws. While our investigation is ongoing, there are certain precautionary steps you may take to safeguard your information:
- Learn about steps you can take to help protect against identity theft at https://www.identitytheft.gov/databreach.
- Place a fraud alert in your credit file by contacting one of the three nationwide credit reporting agencies below:
- Place a security freeze on your credit report by contacting the credit reporting agencies.
We will provide updates as appropriate. If you have questions, please call (855) 757-0247 during 9:00 a.m. to 6:30 p.m. ET on Monday to Friday. If you receive questions about this incident, please direct the individual to the same number.
Thank you for your commitment to serving our University community.
DataBreaches.net also reached out to the Bruce W. Carter VA Medical Center to inquire about a patient file that showed up in the sample the threat actors posted. The file was a records request from the V.A. hospital. It is not clear from the sample data whether the threat actors hit just U. Miami’s Accellion server that happened to have files with protected health information on it, or if the V.A. also had a server that was attacked (less likely, but possible). DataBreaches.net will update this post when a response from the V.A. is received.