Accellion data breach: Difference between revisions

Around mid-December in 2020, several hacker groups going by the names FIN11, UNC2546, and CLOP, infiltrated Kiteworks (formerly Accellion) systems using SQL injection, affecting organizations delving to various aspects of education, medicine, and finance, leaking over nine million customers' and employees' personal information.^[1] This later turn into a lawsuit that reached a $8.1 million settlement on 20 January 2022.

A financially-motivated hacker group going by FIN11 has conducted malware and ransomware attacks against financial, retail, and medical related organizations since 2016.^[2] It shares close ties to CLOP, a hacker group that since 2016 has run phishing campaigns and malware distributions,^[3] and UNC2546, an unknown hacker group that been shown to conduct malware attacks and SQL injection.^[4][5]

Around mid-December, FIN11 targeted Accellion's 20-years old legacy File Transfer Appliance (FTA), deploying two zero-day-vulnerabilities that granted access to installation of a custom web shell named DEWMODE,^[6] allowing for SQL injection into Accellion systems. On 16 December, Accellion became aware of the vulnerability after a customer reported the vulnerability, and shortly after released a patch within 72 hours on 20 and 23 of December 2020.^[7] On 12 January 2021, the company released a statement announcing the attack and urged customers to update to their newly-released communication platform Kiteworks.^[8]

On 20 January, hackers conducted more attacks after finding new vulnerabilities that included two more zero-day-vulnerabilities,^[9] however after the vulnerabilities were noticed by Accellion customer service on 22 January, they were shortly patched three days later.^[1][7] Around late January, victims started receiving ransom e-mails that threatened to publish the stolen data. If the victim didn't respond, they would receive several more warnings messages urging the victim to respond.^[10] The company implemented another patch on 28 January that enhanced the security of the patch from 23 December 2020. On 1 February, Accellion released a statement detailing the attack and added that no new vulnerabilities were detected at that time.^[11] A last patch was implemented on 1 March in collaboration with Mandiant (a subsidiary of Google) that fixed two additional vulnerabilities.^[9]

Accellion announced termination of its legacy FTA software on 15 February 2021,^[12] giving customers until 30 April 2021 to make any changes to their licensing agreements.^[13]

Companies began being informed of the breach around January through March, later releasing statements about the incident. Several companies decided to terminate their agreements with Accellion and collaborate with law enforcement and other companies, while also reaching out to potentially affected customers.^[14][15]

On 11 February 2021, Singtel released a statement announcing an investigation in collaboration with security experts and the Cyber Security Agency of Singapore, as well as plans to cease operation of Accellion systems.^[16] On 17 February, Singtel released another statement detailing the results of their investigation, concluding that around 129,000 customers' names, dates of birth, mobile phone numbers, and home addresses were leaked, along with employees' and staff's financial information. The company highlighted plans to contact affected customers, and issued an apology.^[17]

"While this data theft was committed by unknown parties, I’m very sorry this has happened to our customers and apologise unreservedly to everyone impacted. Data privacy is paramount, we have disappointed our stakeholders and not met the standards we have set for ourselves"

On 23 January, Kroger was notified of the vulnerability after being informed by Accellion, resulting in the company conducting an investigation. Around February, Kroger issued a statement that sought discontinuation of Accellion systems, as well as mentioning that 1% of customers had pharmacy records and money services impacted by the attack. Additionally, it highlighted plans to inform affected consumers.^[18]

Starting on 3 March through 2 April 2021, Qualys made a series of statement and updates after being alerted about the attack around December 2020. In collaboration with Accellion, FireEye, and Mandiant, an investigation found and contacted customers with leaked online and real life names, e-mail addresses, job titles, and office addresses. Additionally, it found no impact or effect on its systems.^[19]

On 22 January 2021, the city was first alerted of the incident by unknown sources, however the city did not issue a response until April 2021.^[20] When asked, a spokesperson responded by claiming "It takes time to reach any sort of conclusion in view of the legacy system that was breached and the extent of investigation required." It was reported that around 35,000 citizens' information was affected in the attack, however the city didn't receive a ransom e-mail, leading to some speculation in the community of the meaning of the silence.^[21][22]

On 2 May 2021, CXS made a statement highlighting the incident, only mentioning the leaking of current and past employees' personal information. The company didn't provide much detail surrounding the incident with regards to customers or any specific type of information, saying only that "To date, this incident has had no impact on business operations or our ability to serve our customers."^[23][24]

Trillium became aware of the attack on 25 January 2021, and about a month later released a statement, declaring customers' addresses, dates of birth, insurance ID numbers, and health information were leaked and posted online. As compensation, the company gave one-year credit monitoring and identity theft protection services to affected customers on 26 February 2021.^[25] The company discussed plans to move and remove all data from Accellion systems, and review files and sharing data practices.^[26]

Morgan Stanley third-party vendor Guidehouse, a company that delivers account maintenance services, notified Morgan Stanley of the breach on 20 May 2021, after discovering the breach in March and finding information containing names, addresses, dates of birth and Social Security numbers about Morgan Stanley clients.^[27][28][29] Morgan Stanley sent e-mails to affected victims on 8 June, and later on 2 July sent an e-mail to the attorney general office located in Concord, New Hampshire to inform them of the attack.^[30]

On 24 March 2021, Health Net, an American health care insurance provider, released a statement that declared customers' addresses, dates of birth, insurance ID numbers, and health information such as medical conditions and treatment information, was compromised. The company stated it had started collaborating with law enforcement and ceasing operation of Accellion services.^[31]

https://web.archive.org/web/20210111063645/https://www.rbnz.govt.nz/news/2021/01/reserve-bank-response-to-illegal-breach-of-data-system

https://web.archive.org/web/20210115022125/https://www.rbnz.govt.nz/our-response-to-data-breach'

https://www.interest.co.nz/banking/109058/reserve-banks-says-it-working-directly-stakeholders-determine-how-many-people-have

https://www.bankinfosecurity.com/reserve-bank-new-zealand-investigates-data-breach-a-15737

Around March 2021, Flagstar Bank posted on its website an alert to users that its vendor, Accellion, had been the target of a cybersecurity attack. The company declared discontinuation of Accellion services and the creation of a calling center for affected individuals.^[32]

On 5 April 2021, Trinity Health declared that customers' personal and medical information was accessed and leaked online. The company announced plans to inform affected customers and create a hotline to affected customers.^[33]

Trinity Health determined file(s) were present on the appliance at the time of this event. The files contained certain protected health information, including a combination of demographic, clinical and financial information such as your name, address, email, date of birth, healthcare provider, dates and types of health care services, medical record number, immunization type, lab results, medications, payment, payer name, and claims information. The confidential information of a very small number of impacted individuals included a social security number or credit card number.

California Health & Wellness became aware of the attack after being alerted by Accellion on 25 January 2021, upon which it immediately conducted an investigation alongside Accellion.^[34] In a statement released on ---, California Health & Wellness confirmed customers address, date of birth, insurance ID number, and related health information was compromised. The company announced plan to cease operation of Accellion software and gave affected customers one-year identity protection service with IDX membership.^{[citation needed (4 June 2026)]}

Arizona Complete Health released a statement on 26 February 2021, confirming that approximately 27,000 customers' addresses, dates of birth, insurance ID numbers, and medical conditions were compromised after being informed of the attack on 25 January. The company announced it would cease operation of Accellion systems, removing all related data, and provide affected customers one year of credit monitoring services.^[35][36]

Jones Day provided little information regarding the attack, only responding in a statement made to The Wall Street Journal^[37] that it was affected by the attack through Accellion. Allegedly, there was a plan to arrange an agreement between CLOP, however the company went silent, resulting in the releasing of information about Jones Day clients. The hacker organization CLOP responded to the company's silence;^[38][39][40]

"we hacked their server where the Accellion was and took the data from there, we spammed all over the company and all over the contact sheet they repeatedly entered the chat and were silent"

CalViva Health sent an e-mail to affected customers on 24 March 2021 after being informed by Accellion on 25 January. It listed that customers' addresses, dates of birth, insurance ID numbers, and health information were compromised. The company announced discontinuation of Accellion services and gave affected customers one-year IDX membership.^[41]

On 18 February 2021, a lawsuit was filed against Accellion for failure to secure the personal information of its customers, alleging it resulted in the plaintiffs facing years of "constant surveillance of their financial and personal records, monitoring, and loss of rights".^[42][43] The case reached an $8.1 million settlement on 20 January 2022, requiring Accellion give two years of credit monitoring and insurance services and reimburse up to $10,000 or receive payment of $15 or $50 to affected individuals.^[44][45]