Accellion data breach: Difference between revisions

}}Around Mid December in 2020, several hacker group going by the names FIN11, UNC2546, and CLOP, infiltrated [[wikipedia:Kiteworks|Accellion]] systems using [[wikipedia:SQL_injection|SQL injection,]] affecting organizations delving to various aspects of education, medicine, and finance, leaking over 9 million customers and employees personal information.<ref name=":0">{{Cite web |last=Burgess |first=Monica |date=31 October 2025 |title=Accellion Data Breach |url=https://www.huntress.com/threat-library/data-breach/accellion-data-breach |url-status=live |access-date=25 March 2026 |website=Huntress}}</ref> This later turn into a lawsuit that reached a $8.1 million settlement on 20 January 2022.

A financially motivated hacker group going by FIN11 has conducted malware and ransomware attacks against financial, retail, and medical related organizations since 2016.<ref>{{Cite web |last=Stark |first=Genevieve |last2=Moore |first2=Andrew |last3=Cannon |first3=Vincent |last4=Leary |first4=Jacqueline |last5=Fraser |first5=Nalani |last6=Goody |first6=Kimberly |date=14 October 2020 |title=Threat Research FIN11: Widespread Email Campaigns as Precursor for Ransomware and Data Theft |url=https://www.fireeye.com/blog/threat-research/2020/10/fin11-email-campaigns-precursor-for-ransomware-data-theft.html |url-status=live |archive-url=https://web.archive.org/web/20201017221743/https://www.fireeye.com/blog/threat-research/2020/10/fin11-email-campaigns-precursor-for-ransomware-data-theft.html |archive-date=17 October 2020 |access-date=26 March 2026 |website=Fire Eye}}</ref> It shares close ties to [[wikipedia:Clop_(hacker_group)#GoAnywhere_MFT_attack_(2023)|CLOP]], a hacker group that since 2016 has ran phishing campaigns and malware distributions<ref>{{Cite web |last=Brubaker |first=Nathan |last2=Zafra |first2=Daniel |last3=Lunden |first3=Keith |last4=Proska |first4=Ken |last5=Hildebrandt |first5=Corey |date=15 July 2020 |title=Financially Motivated Actors Are Expanding Access Into OT: Analysis of Kill Lists That Include OT Processes Used With Seven Malware Families |url=https://www.fireeye.com/blog/threat-research/2020/07/financially-motivated-actors-are-expanding-access-into-ot.html |url-status=live |archive-url=https://web.archive.org/web/20200716090918/https://www.fireeye.com/blog/threat-research/2020/07/financially-motivated-actors-are-expanding-access-into-ot.html |archive-date=16 July 2020 |access-date=26 March 2026 |website=Fire Eye}}</ref>,  and UNC2546, an unknown hacker group that been shown to conduct malware attacks and SQL injection.<ref>{{Cite web |last=Ropek |first=Lucas |date=23 February 2021 |title=What We Know About the Hackers Behind the Accellion Data Breach |url=https://gizmodo.com/what-we-know-about-the-hackers-behind-the-accellion-dat-1846316990 |url-status=live |access-date=26 March 2026 |website=Gizmodo}}</ref><ref>{{Cite web |last=Stone |first=Jeff |date=22 February 2021 |title=FireEye IDs hacking group suspected in Accellion, Kroger breach |url=https://cyberscoop.com/fireeye-ids-hacking-group-suspected-in-accellion-kroger-breach/ |url-status=live |access-date=26 March 2026 |website=Cyberscoop}}</ref>

Around Mid December, FIN11 targeted Accellion 20 year legacy {{Wplink|File transfer|File Transfer Appliance}} (FTA), deploying two {{Wplink|Zero-day vulnerability|zero-day-vulnerabilities}} that granted access to installation of a custom [[wikipedia:Web_shell|web shell]] named DEWMODE<ref>{{Cite web |date=23 February 2021 |title=Accellion Compromise Impacts Many Targets Including Healthcare Organizations |url=https://www.hhs.gov/sites/default/files/accellion-analyst-note.pdf |url-status=live |access-date=26 March 2026 |website=hhs.gov}}</ref>, allowing for SQL injection into Accellion systems.  On 16 December, Accellion became aware of the vulnerability after a customer reported the vulnerability, and shorty after releasing a patch within 72 hours on 20 and 23 of December 2020.<ref name=":1">{{Cite web |last=Neill |first=Rob |date=3 March 2021 |title=Accellion hack: timeline clarifies when and how customers were notified |url=https://www.arnnet.com.au/article/1261917/accellion-hack-timeline-clarifies-when-and-how-customers-were-notified.html |url-status=live |access-date=26 March 2026 |website=ARN}}</ref> On 12 January, the company released a statement announcing  the attack and urging customers to update to their newely released communication platform kiteworks.<ref>{{Cite web |date=12 January 2021 |title=Press Release Accellion Responds to Recent FTA Security Incident |url=https://www.kiteworks.com/company/press-releases/accellion-responds-to-recent-fta-security-incident/ |url-status=live |archive-url=https://web.archive.org/web/20260118203606/https://www.kiteworks.com/company/press-releases/accellion-responds-to-recent-fta-security-incident/ |archive-date=18 January 2026 |access-date=26 March 2026 |website=Kiteworks}}</ref>  On 20 January, hackers conducted more attacks after finding new vulnerabilities that included 2 more [[wikipedia:Zero-day_vulnerability|zero-day-vulnerabilities]]<ref name=":2">{{Cite web |date=1 March 2021 |title=ACCELLION, INC. FILE TRANSFER APPLIANCE (FTA) SECURITY ASSESSMENT |url=https://kiteworks.com/sites/default/files/trust-center/accellion-fta-attack-mandiant-report-full.pdf |url-status=live |archive-url=https://web.archive.org/web/20211128204658/https://kiteworks.com/sites/default/files/trust-center/accellion-fta-attack-mandiant-report-full.pdf |archive-date=28 November 2021 |access-date=27 March 2026 |website=Kiteworks}}</ref>, however after the vulnerability were noticed by Accellion customer service on 22 January, they were shortly patched three days later.<ref name=":0" /><ref name=":1" />Around late January, victims started receiving ransom emails that threatens to publish the stolen data. If the victim didn't respond, they would receive several more warnings messages urging the victim to respond.<ref>{{Cite web |last=Ilascu |first=Ionut |date=22 February 2021 |title=Global Accellion data breaches linked to Clop ransomware gang |url=https://www.bleepingcomputer.com/news/security/global-accellion-data-breaches-linked-to-clop-ransomware-gang/ |url-status=live |access-date=27 March 2026 |website=BleepingComputer}}</ref> The company would implement another patch on 28 January that enhanced the security of the 23 December patch. On 01 February, Accellion released an statement detailing the attack and adding no new vulnerabilities were detect at the time.<ref>{{Cite web |date=1 February 2021 |title=Press Release Accellion Provides Update to Recent FTA Security Incident |url=https://www.accellion.com/company/press-releases/accellion-provides-update-to-recent-fta-security-incident/ |url-status=live |archive-url=https://web.archive.org/web/20210202020120/https://www.accellion.com/company/press-releases/accellion-provides-update-to-recent-fta-security-incident/ |archive-date=2 February 2021 |access-date=26 March 2026 |website=Accellion}}</ref>  A last patch was implemented on 01 March in collaboration with [[wikipedia:Mandiant|Mandiant]] (subsidiary to [[Google]]) that fixed two additional vulnerabilities.<ref name=":2" /> Accellion would announce termination of its 20 year legacy [[wikipedia:File_transfer|File Transfer Appliance]], giving customers till 30 April to make any changes to their licensing agreements.<ref>{{Cite web |date=27 March 2026 |title=Accellion |url=https://kiteworks.com/sites/default/files/resources/fta-eol.pdf |url-status=live |archive-url=https://web.archive.org/web/20220125042927/https://kiteworks.com/sites/default/files/resources/fta-eol.pdf |archive-date=25 January 2022 |access-date=27 March 2026 |website=Kiteworks}}</ref>

Companies began being informed of the breach around January through March, later releasing statments about the incident. Several companies decided to terminate their agreements with Accellion and collaborate with law enforcement and other companies, while also reach out to potentially affected customers.<ref>{{Cite web |last=Panettieri |first=Joe |date=14 January 2022 |title=Accellion Vulnerabilities, Cyberattacks, Victims, Lawsuits: Customer List and Status Updates |url=https://www.msspalert.com/news/accellion-vulnerabilities-victim-list |url-status=live |access-date=26 March 2026 |website=MSSP Alert}}</ref><ref>{{Cite web |last=Firch |first=Jason |date=14 May 2024 |title=Accellion Data Breach: What Happened & Who Was Impacted? |url=https://purplesec.us/breach-report/accellion-data-breach/ |url-status=live |access-date=26 March 2026 |website=Purplesec}}</ref>   

In 11 February 2021, Singtel released a statement announcing a investigation in collaborations with security experts and Cyber Security Agency of Singapore and made plans to cease operation of Accellion systems.<ref>{{Cite web |date=11 February 2021 |title=Media Statement relating to Accellion’s FTA Security Incident |url=https://www.singtel.com/about-us/media-centre/news-releases/media-statement-relating-to-accellion-fta-security-incident |url-status=live |access-date=27 March 2026 |website=Singtel}}</ref> On 17 February, Singtel released another statement detailing the results of their investigation, concluding that around 129,000 customers name, date of birth, mobile number, and home address was leaked, along with employees and staff financial information. The company highlighted plans to contact affected customers, and issuing an apology.<ref>{{Cite web |date=17 February 2021 |title=Singtel addresses data breach, moves to support affected stakeholders |url=https://www.singtel.com/about-us/media-centre/news-releases/singtel-addresses-data-breach-moves-to-support-affected-stakeholders |url-status=live |archive-url=https://web.archive.org/web/20260116181632mp_/https://www.singtel.com/about-us/media-centre/news-releases/singtel-addresses-data-breach-moves-to-support-affected-stakeholders |archive-date=16 January 2026 |access-date=26 March 2026 |website=Singtel}}</ref>  <blockquote>''"While this data theft was committed by unknown parties, I’m very sorry this has happened to our customers and apologise unreservedly to everyone impacted. Data privacy is paramount, we have disappointed our stakeholders and not met the standards we have set for ourselves"''</blockquote>

On 23 January, [[Kroger]] was notified of the vulnerability after being informed by Accellion, resulting in the company conducting an investigation. Around February, Kroger issued a statement that sought discontinuation of Accellion systems as well as mention 1% of customers had pharmacy records, money services being affected in the attack. Additionally, it highlighted plans to inform affected consumers.<ref>{{Cite web |date=25 March 2026 |title=Information About the Accellion Incident |url=https://www.kroger.com/i/accellion-incident |url-status=dead |archive-url=https://web.archive.org/web/20210219235325/https://www.kroger.com/i/accellion-incident |archive-date=19 February 2021 |access-date=25 March 2026 |website=Kroger}}</ref>

On 22 January, the city was first alerted of the incident by unknown sources, however the city issued a response on April 2021.<ref>{{Cite web |date=30 April 2021 |title=Toronto hit by ‘potential cyber breach’ from Accellion file transfer software |url=https://databreaches.net/2021/04/30/toronto-hit-by-potential-cyber-breach-from-accellion-file-transfer-software/ |url-status=live |access-date=27 March 2026 |website=Databreaches.net}}</ref> When asked, a spokesperson responded by claiming "“It takes time to reach any sort of conclusion in view of the legacy system that was breached and the extent of investigation required." it was reported that around 35,000 citizens information was affected in the attack, however the city didn't receive a ransom email, leading to some speculation in the community of the meaning of the silence.<ref>{{Cite web |last=Woodward |first=Jon |date=30 December 2021 |title=Toronto feared 35,000 citizens' data would be made public after cyberattack: documents |url=https://www.ctvnews.ca/toronto/article/toronto-feared-35000-citizens-data-would-be-made-public-after-cyberattack-documents/ |url-status=live |access-date=26 March 2026 |website=CTV News}}</ref><ref>{{Cite web |last=Adriano |first=Lyle |date=3 May 2021 |title=Toronto reveals potential cyber breach |url=https://www.insurancebusinessmag.com/ca/news/cyber/toronto-reveals-potential-cyber-breach-253921.aspx |url-status=live |access-date=26 March 2026 |website=Insurance Business}}</ref>

On 02 May,  CXS made a statement highlighting the incident only leaking current and past employees personal information. The company didn't provide much details surrounding the incident in regards to customers or specific type of information, only saying “''To date, this incident has had no impact on business operations or our ability to serve our customers''".<ref>{{Cite web |date=2 March 2021 |title=CSX probes ‘security incident’ as hackers leak data |url=https://www.freightwaves.com/news/csx-probes-security-incident-as-hackers-leak-data |url-status=live |access-date=27 March 2026 |website=Freightwaves}}</ref><ref>{{Cite web |last=Lester |first=David |date=3 March 2021 |title=CSX suffers data exposure by hackers |url=https://www.rtands.com/freight/csx-suffers-data-exposure-by-hackers/ |url-status=live |access-date=26 March 2026 |website=RT&S}}</ref>

The Company became aware of the attack on 25 January, and a month later released a statement, declaring customers address, date of birth, insurance ID number, and health information has been leaked and posted online. As compensation, the company gave 1 year credit monitoring and identity theft protection services to affected customers on 26 February.<ref>{{Cite web |date=7 March 2021 |title=Trillium Community Health Plan members impacted by Accellion breach |url=https://databreaches.net/2021/03/07/trillium-community-health-plan-members-impacted-by-accellion-breach/ |url-status=live |access-date=27 March 2026 |website=databreaches.net}}</ref>  The company discussed plans to move and remove all data from Accellion systems, review files and sharing data practices.<ref>{{Cite web |date=25 February 2021 |title=Trillium vendor reports a Data Security Incident |url=https://www.trilliumohp.com/newsroom/trillium-vendor-reports-a-data-security-incident.html |url-status=live |archive-url=https://web.archive.org/web/20260214042648/https://www.trilliumohp.com/newsroom/trillium-vendor-reports-a-data-security-incident.html |archive-date=14 February 2026 |access-date=27 March 2026 |website=Trillium}}</ref>

[[wikipedia:Morgan_Stanley|Morgan Stanely]] third party vendor Guidehouse, a company that delivers account maintenance services, notified Morgan Stanely of the breach on 20 May 2021 after discovering the breach in March and finding information containing names, addresses, date of birth and social security numbers about Morgan Stanely clients in March.<ref>{{Cite web |last=Gatlan |first=Sergiu |date=8 July 2021 |title=Morgan Stanley reports data breach after vendor Accellion hack |url=https://www.bleepingcomputer.com/news/security/morgan-stanley-reports-data-breach-after-vendor-accellion-hack/ |url-status=live |access-date=27 March 2026 |website=BleepingComputer}}</ref><ref>{{Cite web |last=Goodin |first=Dan |date=8 July 2021 |title=Morgan Stanley discloses data breach that resulted from Accellion FTA hacks |url=https://arstechnica.com/gadgets/2021/07/morgan-stanley-discloses-data-breach-that-resulted-from-accellion-fta-hacks/ |url-status=live |access-date=27 March 2026 |website=Arstechnica}}</ref><ref>{{Cite web |last=Paganini |first=Pierluigi |date=8 July 2021 |title=Morgan Stanley discloses data breach after the hack of a third-party vendor |url=https://securityaffairs.com/119865/data-breach/morgan-stanley-data-breach.html |url-status=live |access-date=27 March 2026 |website=SecurityAffairs}}</ref> Morgan Stanley sent emails to affected victims on 08 June and later on 02 July, sending a email to the attorney general office located in concord informing them of the attack.<ref>{{Cite web |last=Gatlan |first=Sergiu |date=8 July 2021 |title=morgan-stanley-bc-20210702 |url=https://www.documentcloud.org/documents/20985259-morgan-stanley-bc-20210702/ |url-status=live |access-date=28 March 2026 |website=DocumentCloud}}</ref>  

On 05 April, Trinity Health would declare customers personal and medical information was access and leaked online. The company announced plans to inform affected customers and create a headline to affected customers.<ref>{{Cite web |date=5 April 2021 |title=Trinity Health Announces Response to Accellion Data Event |url=https://www.prnewswire.com/news-releases/trinity-health-announces-response-to-accellion-data-event-301262364.html |url-status=live |access-date=28 March 2026 |website=Trinity Health}}</ref><blockquote>Trinity Health determined file(s) were present on the appliance at the time of this event. The files contained certain protected health information, including a combination of demographic, clinical and financial information such as your name, address, email, date of birth, healthcare provider, dates and types of health care services, medical record number, immunization type, lab results, medications, payment, payer name, and claims information. The confidential information of a very small number of impacted individuals included a social security number or credit card number.</blockquote>

California Health & Wellness became aware of the attack  after being alerted from Accellion on 25 January, which upon notice immediately conducted an investigation alongside Accellion.<ref>{{Cite web |last=Adler |first=Steve |date=6 April 2021 |title=More Than 1.2 Million Health Net Members Affected by Accellion Cyberattack |url=https://www.hipaajournal.com/more-than-1-2-million-health-net-members-affected-by-accellion-cyberattack/ |url-status=live |access-date=28 March 2026 |website=The Hippa Journal}}</ref> In a statement released on ---, California Health & Wellness confirmed customers address, date of birth, insurance ID number, and related health information was compromised. The company announced plan to cease operation of Accellion software and gave affected customers 1 year identity protection service with IDX membership.<ref>{{Cite web |date=29 March 2026 |title=Notice of Data Breach |url=https://oag.ca.gov/system/files/California%20Health%20%26%20Wellness%20-%20Accellion%20Breach%20Notice%20Letter.pdfhttps://oag.ca.gov/system/files/California%20Health%20%26%20Wellness%20-%20Accellion%20Breach%20Notice%20Letter.pdf |url-status=live |access-date=29 March 2026 |website=ca.gov}}</ref>    

Arizona Complete Health released a statement on 26 February, confirming  around 27,000 customers addresses, date of birth, insurance ID numbers, and medical conditions, were compromised after being informed of the attack on 25 January, The company announced it would cease operation of Accellion systems, removing all related data associated, and provide affected customers 1 year of credit monitoring services.<ref>{{Cite web |last=Drees |first=Jackie |date=18 March 2021 |title=Ransomware attack exposes 27,000+ Arizona health plan members’ data for 2.5 weeks |url=https://www.beckershospitalreview.com/healthcare-information-technology/cybersecurity/ransomware-attack-exposes-27-000-arizona-health-plan-members-data-for-2-5-weeks/ |url-status=live |access-date=29 March 2026 |website=beckershospitalreview.com}}</ref><ref>{{Cite web |date=26 February 2021 |title=Arizona Complete Health (AzCH) received information that one of our business partners was a victim of a cyber-attack. |url=https://www.azcompletehealth.com/newsroom/cyber-accellion.html |url-status=live |archive-url=https://web.archive.org/web/20210318182004/https://www.azcompletehealth.com/newsroom/cyber-accellion.html |archive-date=18 March 2021 |access-date=29 March 2026 |website=Arizona Complete Health}}</ref>

The company provided little information regarding the attack, with only responding in a statement made to the Wall Street Journal that it was affected by the attack. Allegedly, there was plan to arrange an agreement between CLOP, however the company went silent, resulting in releasing information about  Jones Day clients. The hacker organization CLOP responded to the company's silence;<ref>{{Cite web |date=16 February 2021 |title=Jones Day disputes claimed breach; points to hacked vendor; hacker points back to them (UPDATE2) |url=https://databreaches.net/2021/02/16/jones-day-disputes-claimed-breach-points-to-hacked-vendor-hacker-points-back-to-them/ |url-status=live |access-date=29 March 2026 |website=DataBreaches.net}}</ref><ref>{{Cite web |last=Koebler |first=Jason |last2=Cox |first2=Joseph |last3=Bicchierai |first3=Lorenzo |date=16 February 2021 |title=Hacker Leaks Files from Jones Day Law Firm, Which Worked on Trump Election Challenges |url=https://www.vice.com/en/article/hacker-leaks-files-from-jones-day-law-firm-which-represented-trump-in-election-challenges/ |url-status=live |access-date=29 March 2026 |website=Vice}}</ref><ref>{{Cite web |date=13 February 2021 |title=Threat actors claim to have stolen Jones Day files; law firm remains quiet |url=https://databreaches.net/2021/02/13/threat-actors-claim-to-have-stolen-jones-day-files-law-firm-remains-quiet/ |url-status=live |access-date=29 March 2026 |website=DataBreaches.net}}</ref><blockquote>''" we hacked their server where the Accellion was and took the data from there, we spammed all over the company and all over the contact sheet they repeatedly entered the chat and were silent"''</blockquote>

The company sent an email to affected customers on 24 March after being informed by Accellion on 25 January. It lists customers Addresses, date of birth, insurance ID Number,  and health information were compromised. The company announced discontinuation of Accellion services and gave affected customers 1 year IDX membership.<ref>{{Cite web |date=24 March 2021 |title=Notice of Data Breach |url=https://oag.ca.gov/system/files/CalViva%20-%20%20Accellion%20Breach%20Notice%20Letter.pdf |url-status=live |access-date=29 March 2026 |website=oag.ca.gov}}</ref>   

On 18 February 2021, a lawsuit was filed against Accellion for failure to secure personal information of its customers, alleging it resulting in the plaintiffs facing years of ''"constant surveillance of their financial and personal records, monitoring, and loss of rights".''<ref>{{Cite web |last=Rizzi |first=Corrado |date=19 February 2021 |title=Accellion Facing Class Action Over Dec. 2020 File Transfer Service Data Breach [UPDATE] |url=https://www.classaction.org/news/accellion-facing-class-action-over-dec.-2020-file-transfer-service-data-breach |url-status=live |access-date=27 March 2026 |website=ClassAction}}</ref><ref>{{Cite web |date=29 March 2026 |title=Zebelman v. Accellion, Inc. |url=https://dockets.justia.com/docket/california/candce/5:2021cv01203/373802 |url-status=live |access-date=29 March 2026 |website=Justia U.S Law}}</ref> The case reached a $8.1 million settlement on 20 January 2022, requiring Accellion give 2 years of credit monitoring and insurance services and reimburse up to $10,000  or receive payment of $15 or $50 to affected individuals.<ref>{{Cite web |last=Coble |first=Sarah |date=17 January 2022 |title=Accellion Reaches $8.1m Data Breach Settlement |url=https://www.infosecurity-magazine.com/news/accellion-reaches-81m-data-breach/ |url-status=live |access-date=26 March 2026 |website=Infosecurity Magazine}}</ref><ref>{{Cite web |last=Davis |first=Jessica |date=14 January 2022 |title=Accellion claims no ‘guarantee’ of security in $8.1M breach settlement |url=https://www.scworld.com/analysis/accellion-reaches-8-1m-settlement-in-data-breach-lawsuit |url-status=live |access-date=27 March 2026 |website=ScWorld}}</ref>