A breach involving Accellion‘s older file transfer application has left a number of its customers in the unenviable position of not only having a data breach to deal with, but with the added threat that their data and their clients’ data will be dumped by threat actors if they do not pay extortion demands. At least some of them have decided not to give in to extortion demands.
The Accellion breach was first revealed by the California cloud solutions firm in January, who described it as a 0day. At the time, Accellion reported that a vulnerability had been detected in mid-December and patched within 72 hours, and that the situation impacted maybe 50 clients. All impacted clients were notified on December 23, the firm claimed.
In early February, however, Accellion updated their statement to acknowledge that they had subsequently discovered other vulnerabilities as persistent attackers kept attacking them into January.
As Accellion’s impacted clients started coming forward, they told a slightly different story about when Accellion first notified them. The University of Colorado, state of Washington, ASIC, Goodwin Procter law firm, SingTel, and the Royal Bank of New Zealand were reportedly all impacted.
And then things took an even darker turn.
On February 13, DataBreaches.net broke the story that Jones Day law firm had been attacked and their data was being dumped on the dark web by CLOP threat actors, who claimed that the law firm had not responded to ransom demands.
Although they never did respond to this site’s inquiries, Jones Day subsequently informed WSJ that they had been informed about the Accellion breach. They insisted that there was no breach of their system, and that the breach was the vendor’s. CLOP responded that it was Jones Day it had attacked, not Accellion. From this site’s investigation, it seemed that Accellion’s standalone system may have been attacked. Logs that were dumped showed that JonesDay had been using a version of Accellion’s FTA that was vulnerable.
With one Accellion client facing an extortion attempt, could the others be far behind? It turns out they weren’t.
By last night, this site could find data dumps by CLOP threat actors for a number of Accellion clients in addition to Jones Day. Not all of the following have issued statements or press releases confirming that their data had been stolen:
- SingTel had previously reported that the breach impacted 129,000 people, and a number of their clients and employees. They received a ransom demand.
- Jones Day
- Fugro
- American Bureau of Shipping (Eagle.org)
- Danaher.com
- Bombardier (confirmed 2/23/2021)
- Transport for New South Wales (added 2/23/3021; data dump March 22)
- Qualys (added 3/3/2021)
- CSX (added to this post March 7; see also this notice)
- Flagstar (added to this post March 8)
- NOW Foods (part of Kroger); added to this post March 16
- University of Colorado (added to leak site March 22)
- University of Miami (added to leak site March 22)
- Stanford University (“MedSecureSend) (added to leak site March 29)
- University of Maryland, Baltimore (added to leak site March 29)
- Yeshiva University (added to leak site March 29)
- UniversityofCalifornia.edu (added to leak site March 29)
- Shell (added to this post March 22)
Other known victims have not (yet?) shown up on the dark web leak site. There has been some media coverage or statements by these entities, but so far, there has been no report that they received ransom demands and as of this morning, they do not appear on CLOP’s leak site.
- Royal Bank of New Zealand
- Allens law firm in Australia
- Goodwin Procter law firm (see also this notification)
- The Australian Securities and Investments Commission (ASIC)
- Washington State
- QIMR Berghofer
- Kroger Health Services and Money Services (added to this post 2/19/2021)
- Nova Scotia Health Employees’ Pension Plan (added to this post March 7)
- Trillium Community Health Plan (added to this post March 7)
- Harvard Business School
- Arizona Complete Health (added to this post March 17)
- Health Net (a Centene subsidiary) (added to this post March 18) — CalViva added to this post March 28
- UC Merced (added March 30)
- UC Davis (added to this post April 1)
- UC Berkeley (added April 3)
- Trinity Health (added April 5)
- Memorial Sloan Kettering (added April 6)
- Health Net (added April 6)
- Health Net of California (added April 6)
- Health Net Life Insurance Company (added April 6)
- Health Net Community Solutions (added April 6)
- California Health & Wellness (added April 6)
- Southern Illinois University School of Medicine (added to this post March 4; added to CLOP’s site on April 13)
- Toronto, Canada (added to this post April 30)
Accellion claimed to have a number of big law firms as clients. DataBreaches.net is not listing them, but we continue to monitor news for statements about this incident.
This post will be updated as conditions change. There are other companies listed on CLOP’s leak site, but it is not known if they are connected to this incident or unrelated incidents.
In this case, victims’ files do not appear to have been encrypted, and this appears to be a reversion to the older model of hacking, exfiltrating a copy of data, and then attempting to extort the victim so that data are not dumped or sold.
Accellion has not updated its original statement in terms of the number of its clients impacted. It is not known if there are still 50 clients, or if the number is significantly more after attacks in January. In any event, this turns out to be a very large and significant breach. And if so many entities are showing up on CLOP’s leak site, does that mean that more and more victims are refusing to pay extortion? If so, that could indicate a positive development.