DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Accellion’s data breach left clients in tough position: pay extortion to criminals, or have their data dumped (with updates)

Posted on February 18, 2021 by Dissent

A breach involving Accellion‘s older file transfer application has left a number of its customers in the unenviable position of not only having a data breach to deal with, but with the added threat that their data and their clients’ data will be dumped by threat actors if they do not pay extortion demands. At least some of them have decided not to give in to extortion demands.

The Accellion breach was first revealed by the California cloud solutions firm in January, who described it as a 0day. At the time, Accellion reported that a vulnerability had been detected in mid-December and patched within 72 hours, and that the situation impacted maybe 50 clients. All impacted clients were notified on December 23, the firm claimed.

In early February, however, Accellion updated their statement to acknowledge that they had subsequently discovered other vulnerabilities as persistent  attackers kept attacking them into January.

As Accellion’s impacted clients started coming forward, they told  a slightly different story about when Accellion first notified them. The University of Colorado, state of Washington, ASIC, Goodwin Procter law firm, SingTel, and the Royal Bank of New Zealand were reportedly all impacted.

And then things took an even darker turn.

On February 13, DataBreaches.net broke the story that Jones Day law firm had been attacked and their data was being dumped on the dark web by CLOP threat actors, who claimed that the law firm had not responded to ransom demands.

Although they never did respond to this site’s inquiries, Jones Day subsequently informed WSJ that they had been informed about the Accellion breach. They insisted that there was no breach of their system, and that the breach was the vendor’s. CLOP responded that it was Jones Day it had attacked, not Accellion.  From this site’s investigation, it seemed that Accellion’s standalone system may have been attacked. Logs that were dumped showed that JonesDay had been using a version of Accellion’s FTA that was vulnerable.

With one Accellion client facing an extortion attempt, could the others be far behind? It turns out they weren’t.

By last night, this site could find data dumps by CLOP threat actors for a number of Accellion clients in addition to Jones Day. Not all of the following have issued statements or press releases confirming that their data had been stolen:

  • SingTel  had previously reported that the breach impacted 129,000 people, and a number of their clients and employees. They  received a ransom demand.
  • Jones Day
  • Fugro 
  • American Bureau of Shipping (Eagle.org)
  • Danaher.com
  • Bombardier (confirmed 2/23/2021)
  • Transport for New South Wales (added 2/23/3021; data dump March 22)
  • Qualys (added 3/3/2021)
  • CSX (added to this post March 7; see also this notice)
  • Flagstar (added to this post March 8)
  • NOW Foods (part of Kroger); added to this post March 16
  • University of Colorado (added to leak site March 22)
  • University of Miami (added to leak site March 22)
  • Stanford University (“MedSecureSend) (added to leak site March 29)
  • University of Maryland, Baltimore (added to leak site March 29)
  • Yeshiva University (added to leak site March 29)
  • UniversityofCalifornia.edu (added to leak site March 29)
  • Shell (added to this post March 22)

Other known victims have not (yet?) shown up on the dark web leak site. There has been some media coverage or statements by these entities, but so far, there has been no report that they received ransom demands and as of this morning, they do not appear on CLOP’s leak site.

  • Royal Bank of New Zealand
  • Allens law firm in Australia
  • Goodwin Procter law firm (see also this notification)
  • The Australian Securities and Investments Commission (ASIC)
  • Washington State
  • QIMR Berghofer
  • Kroger Health Services and Money Services  (added to this post  2/19/2021)
  • Nova Scotia Health Employees’ Pension Plan (added to this post  March 7)
  • Trillium Community Health Plan (added to this post March 7)
  • Harvard Business School
  • Arizona Complete Health (added to this post March 17)
  • Health Net (a Centene subsidiary) (added to this post March 18) — CalViva added to this post March 28
  • UC Merced (added March 30)
  • UC Davis (added to this post April 1)
  • UC Berkeley (added April 3)
  • Trinity Health (added April 5)
  • Memorial Sloan Kettering (added April 6)
  • Health Net (added April 6)
  • Health Net of California (added April 6)
  • Health Net Life Insurance Company (added April 6)
  • Health Net Community Solutions (added April 6)
  • California Health & Wellness (added April 6)
  • Southern Illinois University School of Medicine (added to this post March 4; added to CLOP’s site on April 13)
  • Toronto, Canada (added to this post April 30)

Accellion claimed to have a number of big law firms as clients. DataBreaches.net is not listing them, but we continue to monitor news for statements about this incident.

This post will be updated as conditions change. There are other companies listed on CLOP’s leak site, but it is not known if they are connected to this incident or unrelated incidents.

In this case, victims’ files do not appear to have been encrypted, and this appears to be a reversion to the older model of hacking, exfiltrating a copy of data, and then attempting to extort the victim so that data are not dumped or sold.

Accellion has not updated its original statement in terms of the number of its clients impacted. It is not known if there are still 50 clients, or if the number is significantly more after attacks in January. In any event, this turns out to be a very large and significant breach.  And if so many entities are showing up on CLOP’s leak site, does that mean that more and more victims are refusing to pay extortion? If so, that could indicate a positive development.

Category: Business SectorOf NoteSubcontractorU.S.

Post navigation

← Unsecured: Jamaica’s immigration website exposed thousands of travelers’ data
TR: Hacker attack on Kayseri OSB! →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Ransomware Attack on ADP Partner Exposes Broadcom Employee Data
  • Anne Arundel ransomware attack compromised confidential health data, county says
  • Australian national known as “DR32” sentenced in U.S. federal court
  • Alabama Man Sentenced to 14 Months in Connection with Securities and Exchange Commission X Hack that Spiked Bitcoin Prices
  • Japan enacts new Active Cyberdefense Law allowing for offensive cyber operations
  • Breachforums Boss “Pompompurin” to Pay $700k in Healthcare Breach
  • HHS Office for Civil Rights Settles HIPAA Cybersecurity Investigation with Vision Upright MRI
  • Additional 12 Defendants Charged in RICO Conspiracy for over $263 Million Cryptocurrency Thefts, Money Laundering, Home Break-Ins
  • RIBridges firewall worked. But forensic report says hundreds of alarms went unnoticed by Deloitte.
  • Chinese Hackers Hit Drone Sector in Supply Chain Attacks

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Massachusetts Senate Committee Approves Robust Comprehensive Privacy Law
  • Montana Becomes First State to Close the Law Enforcement Data Broker Loophole
  • Privacy enforcement under Andrew Ferguson’s FTC
  • “We would be less confidential than Google” – Proton threatens to quit Switzerland over new surveillance law
  • CFPB Quietly Kills Rule to Shield Americans From Data Brokers
  • South Korea fines Temu for data protection violations
  • The BR Privacy & Security Download: May 2025

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.