Consumer Rights Wiki

Accellion data breach: Difference between revisions

← Older edit
VisualWikitext
m Lawsuit: whoops
Clean-up.
 
Line 1: Line 1:
{{Cleanup}}{{IncidentCargo
{{Cleanup}}
{{IncidentCargo
|Company=Accellion, Kroger, Shell, Trillium, Qualys, Singtel, CSX
|Company=Accellion, Kroger, Shell, Trillium, Qualys, Singtel, CSX
|StartDate=2020-12
|StartDate=December 2020
|EndDate=2021-02
|EndDate=February 2021
|Status=Resolved
|Status=Resolved
|Type=Security
|Type=Security
|Description=A security breach affecting over 25 companies, medical institutions and schools.
|Description=A cybersecurity breach affecting over 25 companies, medical institutions and schools.
}}Around Mid December in 2020, several hacker group going by the names FIN11, UNC2546, and CLOP, infiltrated [[Kiteworks]] (formerly [[wikipedia:Kiteworks|Accellion]])  systems using [[wikipedia:SQL_injection|SQL injection,]] affecting organizations delving to various aspects of education, medicine, and finance, leaking over 9 million customers and employees personal information.<ref name=":0">{{Cite web |last=Burgess |first=Monica |date=2025-10-31 |title=Accellion Data Breach |url=https://www.huntress.com/threat-library/data-breach/accellion-data-breach |url-status=live |archive-url=https://web.archive.org/web/20260306051955/https://www.huntress.com/threat-library/data-breach/accellion-data-breach |archive-date=2026-03-06 |access-date=2026-03-25 |website=[[Huntress]]}}</ref> This later turn into a lawsuit that reached a $8.1 million settlement on 20 January 2022.
}}
 
Around mid-December in 2020, several hacker groups going by the names FIN11, UNC2546, and CLOP, infiltrated [[Kiteworks]] (formerly {{Wplink|Kiteworks|Accellion}})  systems using {{Wplink|SQL injection}}, affecting organizations delving to various aspects of education, medicine, and finance, leaking over nine million customers' and employees' personal information.<ref name=":0">{{Cite web |last=Burgess |first=Monica |title=Accellion Data Breach |url=https://www.huntress.com/threat-library/data-breach/accellion-data-breach |website=Huntress |date=31 Oct 2025 |access-date=25 Mar 2026 |url-status=live |archive-url=https://web.archive.org/web/20260306051955/https://www.huntress.com/threat-library/data-breach/accellion-data-breach |archive-date=6 Mar 2026}}</ref> This later turn into a lawsuit that reached a $8.1 million settlement on 20 January 2022.


==Background==
==Background==
A financially motivated hacker group going by FIN11 has conducted malware and ransomware attacks against financial, retail, and medical related organizations since 2016.<ref>{{Cite web |last=Stark |first=Genevieve |last2=Moore |first2=Andrew |last3=Cannon |first3=Vincent |last4=Leary |first4=Jacqueline |last5=Fraser |first5=Nalani |last6=Goody |first6=Kimberly |date=14 October 2020 |title=Threat Research FIN11: Widespread Email Campaigns as Precursor for Ransomware and Data Theft |url=https://www.fireeye.com/blog/threat-research/2020/10/fin11-email-campaigns-precursor-for-ransomware-data-theft.html |url-status=live |archive-url=https://web.archive.org/web/20201017221743/https://www.fireeye.com/blog/threat-research/2020/10/fin11-email-campaigns-precursor-for-ransomware-data-theft.html |archive-date=17 October 2020 |access-date=26 March 2026 |website=Fire Eye}}</ref> It shares close ties to [[wikipedia:Clop_(hacker_group)#GoAnywhere_MFT_attack_(2023)|CLOP]], a hacker group that since 2016 has ran phishing campaigns and malware distributions<ref>{{Cite web |last=Brubaker |first=Nathan |last2=Zafra |first2=Daniel |last3=Lunden |first3=Keith |last4=Proska |first4=Ken |last5=Hildebrandt |first5=Corey |date=15 July 2020 |title=Financially Motivated Actors Are Expanding Access Into OT: Analysis of Kill Lists That Include OT Processes Used With Seven Malware Families |url=https://www.fireeye.com/blog/threat-research/2020/07/financially-motivated-actors-are-expanding-access-into-ot.html |url-status=live |archive-url=https://web.archive.org/web/20200716090918/https://www.fireeye.com/blog/threat-research/2020/07/financially-motivated-actors-are-expanding-access-into-ot.html |archive-date=16 July 2020 |access-date=26 March 2026 |website=Fire Eye}}</ref>and UNC2546, an unknown hacker group that been shown to conduct malware attacks and SQL injection.<ref>{{Cite web |last=Ropek |first=Lucas |date=2021-02-23 |title=What We Know About the Hackers Behind the Accellion Data Breach |url=https://gizmodo.com/what-we-know-about-the-hackers-behind-the-accellion-dat-1846316990 |url-status=live |archive-url=https://web.archive.org/web/20250723040100/https://gizmodo.com/what-we-know-about-the-hackers-behind-the-accellion-dat-1846316990 |archive-date=2025-07-23 |access-date=2026-03-26 |website=[[Gizmodo]]}}</ref><ref>{{Cite web |last=Stone |first=Jeff |date=2021-02-22 |title=FireEye IDs hacking group suspected in Accellion, Kroger breach |url=https://cyberscoop.com/fireeye-ids-hacking-group-suspected-in-accellion-kroger-breach/ |url-status=live |archive-url=https://web.archive.org/web/20260118200149/https://cyberscoop.com/fireeye-ids-hacking-group-suspected-in-accellion-kroger-breach/ |archive-date=2026-01-18 |access-date=2026-03-26 |website=[[Cyberscoop]]}}</ref>
A financially-motivated hacker group going by FIN11 has conducted malware and ransomware attacks against financial, retail, and medical related organizations since 2016.<ref>{{Cite web |last1=Stark |first1=Genevieve |last2=Moore |first2=Andrew |last3=Cannon |first3=Vincent |last4=Leary |first4=Jacqueline |last5=Fraser |first5=Nalani |last6=Goody |first6=Kimberly |display-authors=3 |title=Threat Research FIN11: Widespread Email Campaigns as Precursor for Ransomware and Data Theft |url=https://www.fireeye.com/blog/threat-research/2020/10/fin11-email-campaigns-precursor-for-ransomware-data-theft.html |website=Fire Eye |date=14 Oct 2020 |access-date=26 Mar 2026 |url-status=live |archive-url=https://web.archive.org/web/20201017221743/https://www.fireeye.com/blog/threat-research/2020/10/fin11-email-campaigns-precursor-for-ransomware-data-theft.html |archive-date=17 Oct 2020}}</ref> It shares close ties to {{Wplink|Clop (hacker group)#GoAnywhere MFT attack (2023)|CLOP}}, a hacker group that since 2016 has run phishing campaigns and malware distributions,<ref>{{Cite web |last=Brubaker |first=Nathan |last2=Zafra |first2=Daniel |last3=Lunden |first3=Keith |last4=Proska |first4=Ken |last5=Hildebrandt |first5=Corey |display-authors=3 |title=Financially Motivated Actors Are Expanding Access Into OT: Analysis of Kill Lists That Include OT Processes Used With Seven Malware Families |url=https://www.fireeye.com/blog/threat-research/2020/07/financially-motivated-actors-are-expanding-access-into-ot.html |website=Fire Eye |date=15 Jul 2020 |access-date=26 Mar 2026 |url-status=live |archive-url=https://web.archive.org/web/20200716090918/https://www.fireeye.com/blog/threat-research/2020/07/financially-motivated-actors-are-expanding-access-into-ot.html |archive-date=16 Jul 2020}}</ref> and UNC2546, an unknown hacker group that been shown to conduct malware attacks and SQL injection.<ref>{{Cite web |last=Ropek |first=Lucas |title=What We Know About the Hackers Behind the Accellion Data Breach |url=https://gizmodo.com/what-we-know-about-the-hackers-behind-the-accellion-dat-1846316990 |website=Gizmodo |date=23 Feb 2021 |access-date=26 Mar 2026 |url-status=live |archive-url=https://web.archive.org/web/20250723040100/https://gizmodo.com/what-we-know-about-the-hackers-behind-the-accellion-dat-1846316990 |archive-date=23 Jul 2025}}</ref><ref>{{Cite web |last=Stone |first=Jeff |title=FireEye IDs hacking group suspected in Accellion, Kroger breach |url=https://cyberscoop.com/fireeye-ids-hacking-group-suspected-in-accellion-kroger-breach/ |website=Cyberscoop |date=22 Feb 2021 |access-date=26 Mar 2026 |url-status=live |archive-url=https://web.archive.org/web/20260118200149/https://cyberscoop.com/fireeye-ids-hacking-group-suspected-in-accellion-kroger-breach/ |archive-date=18 Jan 2026}}</ref>


==The Attack==
==The Attack==
Around Mid December, FIN11 targeted Accellion 20 year legacy {{Wplink|File transfer|File Transfer Appliance}} (FTA), deploying two {{Wplink|Zero-day vulnerability|zero-day-vulnerabilities}} that granted access to installation of a custom [[wikipedia:Web_shell|web shell]] named DEWMODE<ref>{{Cite web |date=2021-02-23 |title=Accellion Compromise Impacts Many Targets Including Healthcare Organizations |url=https://www.hhs.gov/sites/default/files/accellion-analyst-note.pdf |url-status=live |archive-url=https://web.archive.org/web/20250116150510/https://www.hhs.gov/sites/default/files/accellion-analyst-note.pdf |archive-date=2025-01-16 |access-date=26 March 2026 |website=[[Health Sector Cybersecurity Coordination Center (HC3)]]}}</ref>, allowing for SQL injection into Accellion systems.  On 16 December, Accellion became aware of the vulnerability after a customer reported the vulnerability, and shorty after releasing a patch within 72 hours on 20 and 23 of December 2020.<ref name=":1">{{Cite web |last=Neill |first=Rob |date=3 March 2021 |title=Accellion hack: timeline clarifies when and how customers were notified |url=https://www.arnnet.com.au/article/1261917/accellion-hack-timeline-clarifies-when-and-how-customers-were-notified.html |url-status=live |archive-url=https://web.archive.org/web/20250722084059/https://www.arnnet.com.au/article/1261917/accellion-hack-timeline-clarifies-when-and-how-customers-were-notified.html |archive-date=22 July 2025 |access-date=26 March 2026 |website=ARN}}</ref> On 12 January, the company released a statement announcing  the attack and urging customers to update to their newly released communication platform Kiteworks.<ref>{{Cite web |date=12 January 2021 |title=Press Release Accellion Responds to Recent FTA Security Incident |url=https://www.kiteworks.com/company/press-releases/accellion-responds-to-recent-fta-security-incident/ |url-status=live |archive-url=https://web.archive.org/web/20260118203606/https://www.kiteworks.com/company/press-releases/accellion-responds-to-recent-fta-security-incident/ |archive-date=18 January 2026 |access-date=26 March 2026 |website=Kiteworks}}</ref>  On 20 January, hackers conducted more attacks after finding new vulnerabilities that included 2 more [[wikipedia:Zero-day_vulnerability|zero-day-vulnerabilities]]<ref name=":2">{{Cite web |date=1 March 2021 |title=ACCELLION, INC. FILE TRANSFER APPLIANCE (FTA) SECURITY ASSESSMENT |url=https://kiteworks.com/sites/default/files/trust-center/accellion-fta-attack-mandiant-report-full.pdf |url-status=live |archive-url=https://web.archive.org/web/20211128204658/https://kiteworks.com/sites/default/files/trust-center/accellion-fta-attack-mandiant-report-full.pdf |archive-date=28 November 2021 |access-date=27 March 2026 |website=Kiteworks}}</ref>, however after the vulnerability were noticed by Accellion customer service on 22 January, they were shortly patched three days later.<ref name=":0" /><ref name=":1" />Around late January, victims started receiving ransom emails that threatens to publish the stolen data. If the victim didn't respond, they would receive several more warnings messages urging the victim to respond.<ref>{{Cite web |last=Ilascu |first=Ionut |date=22 February 2021 |title=Global Accellion data breaches linked to Clop ransomware gang |url=https://www.bleepingcomputer.com/news/security/global-accellion-data-breaches-linked-to-clop-ransomware-gang/ |url-status=live |archive-url=https://web.archive.org/web/20260118094624/https://www.bleepingcomputer.com/news/security/global-accellion-data-breaches-linked-to-clop-ransomware-gang/ |archive-date=18 January 2026 |access-date=27 March 2026 |website=BleepingComputer}}</ref> The company would implement another patch on 28 January that enhanced the security of the 23 December patch. On 01 February, Accellion released an statement detailing the attack and adding no new vulnerabilities were detect at the time.<ref>{{Cite web |date=1 February 2021 |title=Press Release Accellion Provides Update to Recent FTA Security Incident |url=https://www.accellion.com/company/press-releases/accellion-provides-update-to-recent-fta-security-incident/ |url-status=live |archive-url=https://web.archive.org/web/20210202020120/https://www.accellion.com/company/press-releases/accellion-provides-update-to-recent-fta-security-incident/ |archive-date=2 February 2021 |access-date=26 March 2026 |website=Accellion}}</ref>  A last patch was implemented on 01 March in collaboration with [[wikipedia:Mandiant|Mandiant]] (subsidiary to [[Google]]) that fixed two additional vulnerabilities.<ref name=":2" /> Accellion would announce termination of its 20 year legacy [[wikipedia:File_transfer|File Transfer Appliance]], giving customers till 30 April to make any changes to their licensing agreements.<ref>{{Cite web |date=27 March 2026 |title=Accellion |url=https://kiteworks.com/sites/default/files/resources/fta-eol.pdf |url-status=live |archive-url=https://web.archive.org/web/20220125042927/https://kiteworks.com/sites/default/files/resources/fta-eol.pdf |archive-date=25 January 2022 |access-date=27 March 2026 |website=Kiteworks}}</ref>
[[File:Accellion breach hacker group ransom demand message.png|thumb|alt=Hackers' ransom demand message.|Hackers' ransom demand message.]]
[[File:Accellion breach hacker group ransom demand message.png|thumb|alt=Hackers' ransom demand message.|Hackers' ransom demand message.]]
[[File:Accellion breach hacker group last warning message.png|thumb|alt=Hacker group's last warning message.|Hacker group's last warning message.]]
[[File:Accellion breach hacker group last warning message.png|thumb|alt=Hacker group's last warning message.|Hacker group's last warning message.]]


==List of responses from affected organizations<!-- This contains only companies having any resemblance to consumers -->==
Around mid-December, FIN11 targeted Accellion's 20-years old legacy {{Wplink|File transfer|File Transfer Appliance}} (FTA), deploying two {{Wplink|Zero-day vulnerability|zero-day-vulnerabilities}} that granted access to installation of a custom {{Wplink|web shell}} named DEWMODE,<ref>{{Cite web |author= |title=Accellion Compromise Impacts Many Targets Including Healthcare Organizations |url=https://www.hhs.gov/sites/default/files/accellion-analyst-note.pdf |website=U.S. Department of Health and Human Services |date=23 Feb 2021 |access-date=4 Jun 2026 |url-status=live |archive-url=https://web.archive.org/web/20250116150510/https://www.hhs.gov/sites/default/files/accellion-analyst-note.pdf |archive-date=16 Jan 2025 |format=PDF}}</ref> allowing for SQL injection into Accellion systems. On 16 December, Accellion became aware of the vulnerability after a customer reported the vulnerability, and shortly after released a patch within 72 hours on 20 and 23 of December 2020.<ref name=":1">{{Cite web |last=Neill |first=Rob |title=Accellion hack: timeline clarifies when and how customers were notified |url=https://www.arnnet.com.au/article/1261917/accellion-hack-timeline-clarifies-when-and-how-customers-were-notified.html |website=ARN |date=3 Mar 2021 |access-date=26 Mar 2026 |url-status=live |archive-url=https://web.archive.org/web/20250722084059/https://www.arnnet.com.au/article/1261917/accellion-hack-timeline-clarifies-when-and-how-customers-were-notified.html |archive-date=22 Jul 2025}}</ref> On 12 January 2021, the company released a statement announcing the attack and urged customers to update to their newly-released communication platform Kiteworks.<ref>{{Cite web |author= |title=Press Release Accellion Responds to Recent FTA Security Incident |url=https://www.kiteworks.com/company/press-releases/accellion-responds-to-recent-fta-security-incident/ |website=Kiteworks |date=12 Jan 2021 |access-date=26 Mar 2026 |url-status=live |archive-url=https://web.archive.org/web/20260118203606/https://www.kiteworks.com/company/press-releases/accellion-responds-to-recent-fta-security-incident/ |archive-date=18 Jan 2026}}</ref>
Companies began being informed of the breach around January through March, later releasing statement about the incident. Several companies decided to terminate their agreements with Accellion and collaborate with law enforcement and other companies, while also reaching out to potentially affected customers.<ref>{{Cite web |last=Panettieri |first=Joe |date=14 January 2022 |title=Accellion Vulnerabilities, Cyberattacks, Victims, Lawsuits: Customer List and Status Updates |url=https://www.msspalert.com/news/accellion-vulnerabilities-victim-list |url-status=live |archive-url=https://web.archive.org/web/20250711215300/https://www.msspalert.com/news/accellion-vulnerabilities-victim-list |archive-date=11 July 2025 |access-date=26 March 2026 |website=MSSP Alert}}</ref><ref>{{Cite web |last=Firch |first=Jason |date=14 May 2024 |title=Accellion Data Breach: What Happened & Who Was Impacted? |url=https://purplesec.us/breach-report/accellion-data-breach/ |url-status=live |archive-url=https://web.archive.org/web/20260416041503/https://purplesec.us/breach-report/accellion-data-breach/ |archive-date=16 April 2026 |access-date=26 March 2026 |website=Purplesec}}</ref>   
 
On 20 January, hackers conducted more attacks after finding new vulnerabilities that included two more zero-day-vulnerabilities,<ref name=":2">{{Cite web |author= |title=ACCELLION, INC. FILE TRANSFER APPLIANCE (FTA) SECURITY ASSESSMENT |url=https://kiteworks.com/sites/default/files/trust-center/accellion-fta-attack-mandiant-report-full.pdf |website=Kiteworks |date=1 Mar 2021 |access-date=27 Mar 2026 |url-status=live |archive-url=https://web.archive.org/web/20211128204658/https://kiteworks.com/sites/default/files/trust-center/accellion-fta-attack-mandiant-report-full.pdf |archive-date=28 Nov 2021 |format=PDF}}</ref> however after the vulnerabilities were noticed by Accellion customer service on 22 January, they were shortly patched three days later.<ref name=":0" /><ref name=":1" /> Around late January, victims started receiving ransom e-mails that threatened to publish the stolen data. If the victim didn't respond, they would receive several more warnings messages urging the victim to respond.<ref>{{Cite web |last=Ilascu |first=Ionut |title=Global Accellion data breaches linked to Clop ransomware gang |url=https://www.bleepingcomputer.com/news/security/global-accellion-data-breaches-linked-to-clop-ransomware-gang/ |website=BleepingComputer |date=22 Feb 2021 |access-date=27 Mar 2026 |url-status=live |archive-url=https://web.archive.org/web/20260118094624/https://www.bleepingcomputer.com/news/security/global-accellion-data-breaches-linked-to-clop-ransomware-gang/ |archive-date=18 Jan 2026}}</ref> The company implemented another patch on 28 January that enhanced the security of the patch from 23 December 2020. On 1 February, Accellion released a statement detailing the attack and added that no new vulnerabilities were detected at that time.<ref>{{Cite web |author= |title=Press Release Accellion Provides Update to Recent FTA Security Incident |url=https://www.accellion.com/company/press-releases/accellion-provides-update-to-recent-fta-security-incident/ |website=Accellion |date=1 Feb 2021 |access-date=26 Mar 2026 |url-status=live |archive-url=https://web.archive.org/web/20210202020120/https://www.accellion.com/company/press-releases/accellion-provides-update-to-recent-fta-security-incident/ |archive-date=2 Feb 2021}}</ref> A last patch was implemented on 1 March in collaboration with {{Wplink|Mandiant}} (a subsidiary of [[Google]]) that fixed two additional vulnerabilities.<ref name=":2" />
 
Accellion announced termination of its legacy FTA software on 15 February 2021,<ref>{{Cite web |last=Arghire |first=Ionut |title=Accellion to Retire File Transfer Service Targeted in Attacks |url=https://www.securityweek.com/accellion-retire-file-transfer-service-targeted-attacks/ |website=SecurityWeek |date=15 Feb 2021 |access-date=4 Jun 2026 |url-status=live |archive-url=https://web.archive.org/web/20210215094708/https://www.securityweek.com/accellion-retire-file-transfer-service-targeted-attacks/ |archive-date=15 Feb 2021}}</ref> giving customers until 30 April 2021 to make any changes to their licensing agreements.<ref>{{Cite web |author= |title=Accellion |url=https://kiteworks.com/sites/default/files/resources/fta-eol.pdf |website=Kiteworks |date=27 Mar 2026 |access-date=27 Mar 2026 |url-status=live |archive-url=https://web.archive.org/web/20220125042927/https://kiteworks.com/sites/default/files/resources/fta-eol.pdf |archive-date=25 Jan 2022 |format=PDF}}</ref>
 
==List of responses from affected organizations<!-- This contains only companies having any relevancy to consumers -->==
Companies began being informed of the breach around January through March, later releasing statements about the incident. Several companies decided to terminate their agreements with Accellion and collaborate with law enforcement and other companies, while also reaching out to potentially affected customers.<ref>{{Cite web |last=Panettieri |first=Joe |title=Accellion Vulnerabilities, Cyberattacks, Victims, Lawsuits: Customer List and Status Updates |url=https://www.msspalert.com/news/accellion-vulnerabilities-victim-list |website=MSSP Alert |date=14 Jan 2022 |access-date=26 Mar 2026 |url-status=live |archive-url=https://web.archive.org/web/20250711215300/https://www.msspalert.com/news/accellion-vulnerabilities-victim-list |archive-date=11 Jul 2025}}</ref><ref>{{Cite web |last=Firch |first=Jason |title=Accellion Data Breach: What Happened & Who Was Impacted? |url=https://purplesec.us/breach-report/accellion-data-breach/ |website=PurpleSec |date=14 May 2024 |access-date=4 Jun 2026 |url-status=live |archive-url=https://web.archive.org/web/20260416041503/https://purplesec.us/breach-report/accellion-data-breach/ |archive-date=16 Apr 2026}}</ref>   


===Singtel===
===Singtel===
In 11 February 2021, Singtel released a statement announcing a investigation in collaborations with security experts and Cyber Security Agency of Singapore and made plans to cease operation of Accellion systems.<ref>{{Cite web |date=11 February 2021 |title=Media Statement relating to Accellion’s FTA Security Incident |url=https://www.singtel.com/about-us/media-centre/news-releases/media-statement-relating-to-accellion-fta-security-incident |url-status=live |archive-url=https://web.archive.org/web/20260118170931/https://www.singtel.com/about-us/media-centre/news-releases/media-statement-relating-to-accellion-fta-security-incident |archive-date=18 January 2026 |access-date=27 March 2026 |website=Singtel}}</ref> On 17 February, Singtel released another statement detailing the results of their investigation, concluding that around 129,000 customers name, date of birth, mobile number, and home address was leaked, along with employees and staff financial information. The company highlighted plans to contact affected customers, and issuing an apology.<ref>{{Cite web |date=17 February 2021 |title=Singtel addresses data breach, moves to support affected stakeholders |url=https://www.singtel.com/about-us/media-centre/news-releases/singtel-addresses-data-breach-moves-to-support-affected-stakeholders |url-status=live |archive-url=https://web.archive.org/web/20260116181632mp_/https://www.singtel.com/about-us/media-centre/news-releases/singtel-addresses-data-breach-moves-to-support-affected-stakeholders |archive-date=16 January 2026 |access-date=26 March 2026 |website=Singtel}}</ref> <blockquote>''"While this data theft was committed by unknown parties, I’m very sorry this has happened to our customers and apologise unreservedly to everyone impacted. Data privacy is paramount, we have disappointed our stakeholders and not met the standards we have set for ourselves"''</blockquote>
On 11 February 2021, Singtel released a statement announcing an investigation in collaboration with security experts and the Cyber Security Agency of Singapore, as well as plans to cease operation of Accellion systems.<ref>{{Cite web |author= |title=Media Statement relating to Accellion’s FTA Security Incident |url=https://www.singtel.com/about-us/media-centre/news-releases/media-statement-relating-to-accellion-fta-security-incident |website=Singtel |date=11 Feb 2021 |access-date=27 Mar 2026 |url-status=live |archive-url=https://web.archive.org/web/20260118170931/https://www.singtel.com/about-us/media-centre/news-releases/media-statement-relating-to-accellion-fta-security-incident |archive-date=18 Jan 2026}}</ref> On 17 February, Singtel released another statement detailing the results of their investigation, concluding that around 129,000 customers' names, dates of birth, mobile phone numbers, and home addresses were leaked, along with employees' and staff's financial information. The company highlighted plans to contact affected customers, and issued an apology.<ref>{{Cite web |author= |title=Singtel addresses data breach, moves to support affected stakeholders |url=https://www.singtel.com/about-us/media-centre/news-releases/singtel-addresses-data-breach-moves-to-support-affected-stakeholders |website=Singtel |date=17 Feb 2021 |access-date=26 Mar 2026 |url-status=live |archive-url=https://web.archive.org/web/20260116181632mp_/https://www.singtel.com/about-us/media-centre/news-releases/singtel-addresses-data-breach-moves-to-support-affected-stakeholders |archive-date=16 Jan 2026}}</ref>
<blockquote>''"While this data theft was committed by unknown parties, I’m very sorry this has happened to our customers and apologise unreservedly to everyone impacted. Data privacy is paramount, we have disappointed our stakeholders and not met the standards we have set for ourselves"''</blockquote>


===[[Kroger]]===
===Kroger===
On 23 January, [[Kroger]] was notified of the vulnerability after being informed by Accellion, resulting in the company conducting an investigation. Around February, Kroger issued a statement that sought discontinuation of Accellion systems as well as mention 1% of customers had pharmacy records, money services being affected in the attack. Additionally, it highlighted plans to inform affected consumers.<ref>{{Cite web |date= |title=Information About the Accellion Incident |url=https://www.kroger.com/i/accellion-incident |url-status=dead |archive-url=https://web.archive.org/web/20210219235325/https://www.kroger.com/i/accellion-incident |archive-date=19 February 2021 |access-date=25 March 2026 |website=Kroger}}</ref>
On 23 January, [[Kroger]] was notified of the vulnerability after being informed by Accellion, resulting in the company conducting an investigation. Around February, Kroger issued a statement that sought discontinuation of Accellion systems, as well as mentioning that 1% of customers had pharmacy records and money services impacted by the attack. Additionally, it highlighted plans to inform affected consumers.<ref>{{Cite web |author= |title=Information About the Accellion Incident |url=https://www.kroger.com/i/accellion-incident |website=Kroger |date= |access-date=25 Mar 2026 |url-status=dead |archive-url=https://web.archive.org/web/20210219235325/https://www.kroger.com/i/accellion-incident |archive-date=19 Feb 2021}}</ref>


===Qualys===
===Qualys===
Starting on 03 March till 02 April, Qualys made a series of statement and updates after being alerted about the attack around December 2020. In collaboration with Accellion, FireEye, and Mandiant, a investigation pursued that found and contacted customers with leaked online and real life names, email addresses, job titles, and office addresses. Additionally, it found no impact or effect on its systems.<ref>{{Cite web |last=Carr |first=Ben |date=3 March 2021 |title=Qualys Update on Accellion FTA Security Incident |url=https://blog.qualys.com/vulnerabilities-threat-research/2021/04/02/qualys-update-on-accellion-fta-security-incident |url-status=live |archive-url=https://web.archive.org/web/20250713022054/https://blog.qualys.com/vulnerabilities-threat-research/2021/04/02/qualys-update-on-accellion-fta-security-incident |archive-date=13 July 2025 |access-date=26 March 2026 |website=Qualys}}</ref>  
Starting on 3 March through 2 April 2021, Qualys made a series of statement and updates after being alerted about the attack around December 2020. In collaboration with Accellion, FireEye, and Mandiant, an investigation found and contacted customers with leaked online and real life names, e-mail addresses, job titles, and office addresses. Additionally, it found no impact or effect on its systems.<ref>{{Cite web |last=Carr |first=Ben |title=Qualys Update on Accellion FTA Security Incident |url=https://blog.qualys.com/vulnerabilities-threat-research/2021/04/02/qualys-update-on-accellion-fta-security-incident |website=Qualys |date=3 Mar 2021 |access-date=26 Mar 2026 |url-status=live |archive-url=https://web.archive.org/web/20250713022054/https://blog.qualys.com/vulnerabilities-threat-research/2021/04/02/qualys-update-on-accellion-fta-security-incident |archive-date=13 Jul 2025}}</ref>  


===City of Toronto===
===City of Toronto===
On 22 January, the city was first alerted of the incident by unknown sources, however the city issued a response on April 2021.<ref>{{Cite web |date=30 April 2021 |title=Toronto hit by ‘potential cyber breach’ from Accellion file transfer software |url=https://databreaches.net/2021/04/30/toronto-hit-by-potential-cyber-breach-from-accellion-file-transfer-software/ |url-status=live |archive-url=https://web.archive.org/web/20251209022024/https://databreaches.net/2021/04/30/toronto-hit-by-potential-cyber-breach-from-accellion-file-transfer-software/ |archive-date=9 December 2025 |access-date=27 March 2026 |website=DataBreaches.Net}}</ref> When asked, a spokesperson responded by claiming "“It takes time to reach any sort of conclusion in view of the legacy system that was breached and the extent of investigation required." it was reported that around 35,000 citizens information was affected in the attack, however the city didn't receive a ransom email, leading to some speculation in the community of the meaning of the silence.<ref>{{Cite web |last=Woodward |first=Jon |date=30 December 2021 |title=Toronto feared 35,000 citizens' data would be made public after cyberattack: documents |url=https://www.ctvnews.ca/toronto/article/toronto-feared-35000-citizens-data-would-be-made-public-after-cyberattack-documents/ |url-status=live |archive-url=https://web.archive.org/web/20260416042729/https://www.ctvnews.ca/toronto/article/toronto-feared-35000-citizens-data-would-be-made-public-after-cyberattack-documents/ |archive-date=16 April 2026 |access-date=26 March 2026 |website=CTV News}}</ref><ref>{{Cite web |last=Adriano |first=Lyle |date=3 May 2021 |title=Toronto reveals potential cyber breach |url=https://www.insurancebusinessmag.com/ca/news/cyber/toronto-reveals-potential-cyber-breach-253921.aspx |url-status=live |archive-url=https://web.archive.org/web/20260416043216/https://www.insurancebusinessmag.com/ca/news/cyber/toronto-reveals-potential-cyber-breach-253921.aspx |archive-date=16 April 2026 |access-date=26 March 2026 |website=Insurance Business}}</ref>
On 22 January 2021, the city was first alerted of the incident by unknown sources, however the city did not issue a response until April 2021.<ref>{{Cite web |author= |title=Toronto hit by ‘potential cyber breach’ from Accellion file transfer software |url=https://databreaches.net/2021/04/30/toronto-hit-by-potential-cyber-breach-from-accellion-file-transfer-software/ |website=DataBreaches.Net |date=30 Apr 2021 |access-date=27 Mar 2026 |url-status=live |archive-url=https://web.archive.org/web/20251209022024/https://databreaches.net/2021/04/30/toronto-hit-by-potential-cyber-breach-from-accellion-file-transfer-software/ |archive-date=9 Dec 2025}}</ref> When asked, a spokesperson responded by claiming ''"It takes time to reach any sort of conclusion in view of the legacy system that was breached and the extent of investigation required."'' It was reported that around 35,000 citizens' information was affected in the attack, however the city didn't receive a ransom e-mail, leading to some speculation in the community of the meaning of the silence.<ref>{{Cite web |last=Woodward |first=Jon |title=Toronto feared 35,000 citizens' data would be made public after cyberattack: documents |url=https://www.ctvnews.ca/toronto/article/toronto-feared-35000-citizens-data-would-be-made-public-after-cyberattack-documents/ |website=CTV News |date=30 Dec 2021 |access-date=26 Mar 2026 |url-status=live |archive-url=https://web.archive.org/web/20260416042729/https://www.ctvnews.ca/toronto/article/toronto-feared-35000-citizens-data-would-be-made-public-after-cyberattack-documents/ |archive-date=16 Apr 2026}}</ref><ref>{{Cite web |last=Adriano |first=Lyle |title=Toronto reveals potential cyber breach |url=https://www.insurancebusinessmag.com/ca/news/cyber/toronto-reveals-potential-cyber-breach-253921.aspx |website=Insurance Business |date=3 May 2021 |access-date=26 Mar 2026 |url-status=live |archive-url=https://web.archive.org/web/20260416043216/https://www.insurancebusinessmag.com/ca/news/cyber/toronto-reveals-potential-cyber-breach-253921.aspx |archive-date=16 Apr 2026}}</ref>


===CXS===
===CXS===
On 02 May, CXS made a statement highlighting the incident only leaking current and past employees personal information. The company didn't provide much details surrounding the incident in regards to customers or specific type of information, only saying “''To date, this incident has had no impact on business operations or our ability to serve our customers''".<ref>{{Cite web |date=2 March 2021 |title=CSX probes ‘security incident’ as hackers leak data |url=https://www.freightwaves.com/news/csx-probes-security-incident-as-hackers-leak-data |url-status=live |archive-url=https://web.archive.org/web/20260216050403/https://www.freightwaves.com/news/csx-probes-security-incident-as-hackers-leak-data |archive-date=16 February 2026 |access-date=27 March 2026 |website=FreightWaves}}</ref><ref>{{Cite web |last=Lester |first=David |date=3 March 2021 |title=CSX suffers data exposure by hackers |url=https://www.rtands.com/freight/csx-suffers-data-exposure-by-hackers/ |url-status=live |archive-url=https://web.archive.org/web/20240930080445/https://www.rtands.com/freight/csx-suffers-data-exposure-by-hackers/ |archive-date=30 September 2024 |access-date=26 March 2026 |website=RT&S}}</ref>
On 2 May 2021, CXS made a statement highlighting the incident, only mentioning the leaking of current and past employees' personal information. The company didn't provide much detail surrounding the incident with regards to customers or any specific type of information, saying only that ''"To date, this incident has had no impact on business operations or our ability to serve our customers."''<ref>{{Cite web |author= |title=CSX probes ‘security incident’ as hackers leak data |url=https://www.freightwaves.com/news/csx-probes-security-incident-as-hackers-leak-data |website=FreightWaves |date=2 Mar 2021 |access-date=27 March 2026 |url-status=live |archive-url=https://web.archive.org/web/20260216050403/https://www.freightwaves.com/news/csx-probes-security-incident-as-hackers-leak-data |archive-date=16 Feb 2026}}</ref><ref>{{Cite web |last=Lester |first=David |title=CSX suffers data exposure by hackers |url=https://www.rtands.com/freight/csx-suffers-data-exposure-by-hackers/ |website=RT&S |date=3 Mar 2021 |access-date=26 Mar 2026 |url-status=live |archive-url=https://web.archive.org/web/20240930080445/https://www.rtands.com/freight/csx-suffers-data-exposure-by-hackers/ |archive-date=30 Sep 2024}}</ref>


===Centene===
===Centene===
Line 38: Line 47:


===Trillium===
===Trillium===
The Company became aware of the attack on 25 January, and a month later released a statement, declaring customers address, date of birth, insurance ID number, and health information has been leaked and posted online. As compensation, the company gave 1 year credit monitoring and identity theft protection services to affected customers on 26 February.<ref>{{Cite web |last=Dissent |date=2021-03-07 |title=Trillium Community Health Plan members impacted by Accellion breach |url=https://databreaches.net/2021/03/07/trillium-community-health-plan-members-impacted-by-accellion-breach/ |url-status=live |archive-url=https://web.archive.org/web/20251008135925/https://databreaches.net/2021/03/07/trillium-community-health-plan-members-impacted-by-accellion-breach/ |archive-date=2025-10-08 |access-date=2026-03-27 |website=[[DataBreaches.Net]]}}</ref> The company discussed plans to move and remove all data from Accellion systems, review files and sharing data practices.<ref>{{Cite web |date=25 February 2021 |title=Trillium vendor reports a Data Security Incident |url=https://www.trilliumohp.com/newsroom/trillium-vendor-reports-a-data-security-incident.html |url-status=live |archive-url=https://web.archive.org/web/20260214042648/https://www.trilliumohp.com/newsroom/trillium-vendor-reports-a-data-security-incident.html |archive-date=14 February 2026 |access-date=27 March 2026 |website=Trillium}}</ref><!-- This contains only companies having any resemblance to consumers  -->
Trillium became aware of the attack on 25 January 2021, and about a month later released a statement, declaring customers' addresses, dates of birth, insurance ID numbers, and health information were leaked and posted online. As compensation, the company gave one-year credit monitoring and identity theft protection services to affected customers on 26 February 2021.<ref>{{Cite web |author=Dissent |title=Trillium Community Health Plan members impacted by Accellion breach |url=https://databreaches.net/2021/03/07/trillium-community-health-plan-members-impacted-by-accellion-breach/ |website=DataBreaches.Net |date=7 Mar 2021 |access-date=27 Mar 2026 |url-status=live |archive-url=https://web.archive.org/web/20251008135925/https://databreaches.net/2021/03/07/trillium-community-health-plan-members-impacted-by-accellion-breach/ |archive-date=8 Oct 2025}}</ref> The company discussed plans to move and remove all data from Accellion systems, and review files and sharing data practices.<ref>{{Cite web |author= |title=Trillium vendor reports a Data Security Incident |url=https://www.trilliumohp.com/newsroom/trillium-vendor-reports-a-data-security-incident.html |website=Trillium |date=25 Feb 2021 |access-date=27 Mar 2026 |url-status=live |archive-url=https://web.archive.org/web/20260214042648/https://www.trilliumohp.com/newsroom/trillium-vendor-reports-a-data-security-incident.html |archive-date=14 Feb 2026}}</ref><!-- This contains only companies having any resemblance to consumers  -->


===Morgan Stanley===
===Morgan Stanley===
[[wikipedia:Morgan_Stanley|Morgan Stanley]] third party vendor Guidehouse, a company that delivers account maintenance services, notified Morgan Stanely of the breach on 20 May 2021 after discovering the breach in March and finding information containing names, addresses, date of birth and social security numbers about Morgan Stanley clients in March.<ref>{{Cite web |last=Gatlan |first=Sergiu |date=8 July 2021 |title=Morgan Stanley reports data breach after vendor Accellion hack |url=https://www.bleepingcomputer.com/news/security/morgan-stanley-reports-data-breach-after-vendor-accellion-hack/ |url-status=live |archive-url=http://web.archive.org/web/20250722154012/https://www.bleepingcomputer.com/news/security/morgan-stanley-reports-data-breach-after-vendor-accellion-hack/ |archive-date=22 July 2025 |access-date=27 March 2026 |website=BleepingComputer}}</ref><ref>{{Cite web |last=Goodin |first=Dan |date=8 July 2021 |title=Morgan Stanley discloses data breach that resulted from Accellion FTA hacks |url=https://arstechnica.com/gadgets/2021/07/morgan-stanley-discloses-data-breach-that-resulted-from-accellion-fta-hacks/ |url-status=live |archive-url=https://web.archive.org/web/20251009115845/https://arstechnica.com/gadgets/2021/07/morgan-stanley-discloses-data-breach-that-resulted-from-accellion-fta-hacks/ |archive-date=9 October 2025 |access-date=27 March 2026 |website=Ars Technica}}</ref><ref>{{Cite web |last=Paganini |first=Pierluigi |date=8 July 2021 |title=Morgan Stanley discloses data breach after the hack of a third-party vendor |url=https://securityaffairs.com/119865/data-breach/morgan-stanley-data-breach.html |url-status=live |archive-url=http://web.archive.org/web/20251214005437/https://securityaffairs.com/119865/data-breach/morgan-stanley-data-breach.html |archive-date=14 December 2025 |access-date=27 March 2026 |website=SecurityAffairs}}</ref> Morgan Stanley sent emails to affected victims on 08 June and later on 02 July, sending a email to the attorney general office located in concord informing them of the attack.<ref>{{Cite web |last=Gatlan |first=Sergiu |date=8 July 2021 |title=morgan-stanley-bc-20210702 |url=https://www.documentcloud.org/documents/20985259-morgan-stanley-bc-20210702/ |url-status=live |archive-url=https://web.archive.org/web/20240918045209/https://www.documentcloud.org/documents/20985259-morgan-stanley-bc-20210702 |archive-date=2024-09-18 |access-date=28 March 2026 |website=[[DocumentCloud]]}}</ref>  
{{Wplink|Morgan Stanley}} third-party vendor Guidehouse, a company that delivers account maintenance services, notified Morgan Stanley of the breach on 20 May 2021, after discovering the breach in March and finding information containing names, addresses, dates of birth and Social Security numbers about Morgan Stanley clients.<ref>{{Cite web |last=Gatlan |first=Sergiu |title=Morgan Stanley reports data breach after vendor Accellion hack |url=https://www.bleepingcomputer.com/news/security/morgan-stanley-reports-data-breach-after-vendor-accellion-hack/ |website=BleepingComputer |date=8 Jul 2021 |access-date=27 Mar 2026 |url-status=live |archive-url=http://web.archive.org/web/20250722154012/https://www.bleepingcomputer.com/news/security/morgan-stanley-reports-data-breach-after-vendor-accellion-hack/ |archive-date=22 Jul 2025}}</ref><ref>{{Cite web |last=Goodin |first=Dan |title=Morgan Stanley discloses data breach that resulted from Accellion FTA hacks |url=https://arstechnica.com/gadgets/2021/07/morgan-stanley-discloses-data-breach-that-resulted-from-accellion-fta-hacks/ |website=Ars Technica |date=8 Jul 2021 |access-date=27 Mar 2026 |url-status=live |archive-url=https://web.archive.org/web/20251009115845/https://arstechnica.com/gadgets/2021/07/morgan-stanley-discloses-data-breach-that-resulted-from-accellion-fta-hacks/ |archive-date=9 Oct 2025}}</ref><ref>{{Cite web |last=Paganini |first=Pierluigi |title=Morgan Stanley discloses data breach after the hack of a third-party vendor |url=https://securityaffairs.com/119865/data-bSecurityAffairsreach/morgan-stanley-data-breach.html |website=security affairs |date=8 Jul 2021 |access-date=4 Jun 2026 |url-status=live |archive-url=http://web.archive.org/web/20251214005437/https://securityaffairs.com/119865/data-breach/morgan-stanley-data-breach.html |archive-date=14 Dec 2025}}</ref> Morgan Stanley sent e-mails to affected victims on 8 June, and later on 2 July sent an e-mail to the attorney general office located in Concord, New Hampshire to inform them of the attack.<ref>{{Cite web |author= |title=morgan-stanley-bc-20210702 |url=https://www.documentcloud.org/documents/20985259-morgan-stanley-bc-20210702/ |website=DocumentCloud |date=8 Jul 2021 |access-date=4 Jun 2026 |url-status=live |archive-url=https://web.archive.org/web/20240918045209/https://www.documentcloud.org/documents/20985259-morgan-stanley-bc-20210702 |archive-date=18 Sep 2024}}</ref>  


===HealthNet===
===Health Net===
On 24 March, [[wikipedia:Health_Net|Healthnet]], an American health care insurance provider, released a statement that declared customers addresses, date of birth, insurance ID number, and health information such as medical conditions and treatment information, was compromised. The company stated it started collaraborationg with law enforcement and cease operation of Accellion services.<ref>{{Cite web |date=24 March 2021 |title=Health Net received information that one of our business partners was a victim of a cyber-attack |url=https://www.healthnet.com/content/healthnet/en_us/news-center/news-releases/cyber-accellion.html |url-status=live |archive-url=https://web.archive.org/web/20210406205107/https://www.healthnet.com/content/healthnet/en_us/news-center/news-releases/cyber-accellion.html |archive-date=6 April 2021 |access-date=28 March 2026 |website=Health Net}}</ref>
On 24 March 2021, {{Wplink|Health Net}}, an American health care insurance provider, released a statement that declared customers' addresses, dates of birth, insurance ID numbers, and health information such as medical conditions and treatment information, was compromised. The company stated it had started collaborating with law enforcement and ceasing operation of Accellion services.<ref>{{Cite web |author= |title=Health Net received information that one of our business partners was a victim of a cyber-attack |url=https://www.healthnet.com/content/healthnet/en_us/news-center/news-releases/cyber-accellion.html |website=Health Net |date=24 Mar 2021 |access-date=28 Mar 2026 |url-status=live |archive-url=https://web.archive.org/web/20210406205107/https://www.healthnet.com/content/healthnet/en_us/news-center/news-releases/cyber-accellion.html |archive-date=6 Apr 2021}}</ref>


===The Reserve Bank of New Zealand===
===The Reserve Bank of New Zealand===
Line 57: Line 66:


===Flagstar Bank===
===Flagstar Bank===
Around March, Flagstar bank posted a post on its website alerting users that its been apart in a cybersecurity attack relating to one of their vendors Accellion. The company declared discontinuation of Accellion services and creating a calling center for affected individuals.<ref>{{Cite web |date=28 March 2026 |title=Accellion Incident Information Center |url=https://www.flagstar.com/customer-support/accellion-information-center.html |url-status=live |archive-url=https://web.archive.org/web/20210308111846/https://www.flagstar.com/customer-support/accellion-information-center.html |archive-date=8 March 2021 |access-date=28 March 2026 |website=Flagstar Bank}}</ref>
Around March 2021, Flagstar Bank posted on its website an alert to users that its vendor, Accellion, had been the target of a cybersecurity attack. The company declared discontinuation of Accellion services and the creation of a calling center for affected individuals.<ref>{{Cite web |author= |title=Accellion Incident Information Center |url=https://www.flagstar.com/customer-support/accellion-information-center.html |website=Flagstar Bank |date=Mar 2021 |access-date= |url-status=dead |archive-url=https://web.archive.org/web/20210308111846/https://www.flagstar.com/customer-support/accellion-information-center.html |archive-date=8 Mar 2021}}</ref>


===Trinity Health===
===Trinity Health===
On 05 April, Trinity Health would declare customers personal and medical information was access and leaked online. The company announced plans to inform affected customers and create a headline to affected customers.<ref>{{Cite web |date=5 April 2021 |title=Trinity Health Announces Response to Accellion Data Event |url=https://www.prnewswire.com/news-releases/trinity-health-announces-response-to-accellion-data-event-301262364.html |url-status=live |archive-url=http://web.archive.org/web/20251113154146/https://www.prnewswire.com/news-releases/trinity-health-announces-response-to-accellion-data-event-301262364.html |archive-date=13 November 2025 |access-date=28 March 2026 |website=PR Newswire}}</ref><blockquote>Trinity Health determined file(s) were present on the appliance at the time of this event. The files contained certain protected health information, including a combination of demographic, clinical and financial information such as your name, address, email, date of birth, healthcare provider, dates and types of health care services, medical record number, immunization type, lab results, medications, payment, payer name, and claims information. The confidential information of a very small number of impacted individuals included a social security number or credit card number.</blockquote>
On 5 April 2021, Trinity Health declared that customers' personal and medical information was accessed and leaked online. The company announced plans to inform affected customers and create a hotline to affected customers.<ref>{{Cite web |author= |title=Trinity Health Announces Response to Accellion Data Event |url=https://www.prnewswire.com/news-releases/trinity-health-announces-response-to-accellion-data-event-301262364.html |website=PR Newswire |date=5 Apr 2021 |access-date=28 Mar 2026 |url-status=live |archive-url=http://web.archive.org/web/20251113154146/https://www.prnewswire.com/news-releases/trinity-health-announces-response-to-accellion-data-event-301262364.html |archive-date=13 Nov 2025}}</ref>
<blockquote>''Trinity Health determined file(s) were present on the appliance at the time of this event. The files contained certain protected health information, including a combination of demographic, clinical and financial information such as your name, address, email, date of birth, healthcare provider, dates and types of health care services, medical record number, immunization type, lab results, medications, payment, payer name, and claims information. The confidential information of a very small number of impacted individuals included a social security number or credit card number.''</blockquote>


===California Health & Wellness===
===California Health & Wellness===
California Health & Wellness became aware of the attack after being alerted from Accellion on 25 January, which upon notice immediately conducted an investigation alongside Accellion.<ref>{{Cite web |last=Adler |first=Steve |date=6 April 2021 |title=More Than 1.2 Million Health Net Members Affected by Accellion Cyberattack |url=https://www.hipaajournal.com/more-than-1-2-million-health-net-members-affected-by-accellion-cyberattack/ |url-status=live |archive-url=http://web.archive.org/web/20240704193957/https://www.hipaajournal.com/more-than-1-2-million-health-net-members-affected-by-accellion-cyberattack/ |archive-date=4 July 2024 |access-date=28 March 2026 |website=The Hippa Journal}}</ref> In a statement released on ---, California Health & Wellness confirmed customers address, date of birth, insurance ID number, and related health information was compromised. The company announced plan to cease operation of Accellion software and gave affected customers 1 year identity protection service with IDX membership.  
California Health & Wellness became aware of the attack after being alerted by Accellion on 25 January 2021, upon which it immediately conducted an investigation alongside Accellion.<ref>{{Cite web |last=Adler |first=Steve |title=More Than 1.2 Million Health Net Members Affected by Accellion Cyberattack |url=https://www.hipaajournal.com/more-than-1-2-million-health-net-members-affected-by-accellion-cyberattack/ |website=The HIPPA Journal |date=6 Apr 2021 |access-date=28 Mar 2026 |url-status=live |archive-url=http://web.archive.org/web/20240704193957/https://www.hipaajournal.com/more-than-1-2-million-health-net-members-affected-by-accellion-cyberattack/ |archive-date=4 Jul 2024}}</ref> In a statement released on ---, California Health & Wellness confirmed customers address, date of birth, insurance ID number, and related health information was compromised. The company announced plan to cease operation of Accellion software and gave affected customers one-year identity protection service with IDX membership.{{Citation needed|date=4 June 2026}}


===Arizona Complete Health===
===Arizona Complete Health===
Arizona Complete Health released a statement on 26 February, confirming around 27,000 customers addresses, date of birth, insurance ID numbers, and medical conditions, were compromised after being informed of the attack on 25 January, The company announced it would cease operation of Accellion systems, removing all related data associated, and provide affected customers 1 year of credit monitoring services.<ref>{{Cite web |last=Drees |first=Jackie |date=18 March 2021 |title=Ransomware attack exposes 27,000+ Arizona health plan members’ data for 2.5 weeks |url=https://www.beckershospitalreview.com/healthcare-information-technology/cybersecurity/ransomware-attack-exposes-27-000-arizona-health-plan-members-data-for-2-5-weeks/ |url-status=live |archive-url=https://web.archive.org/web/20250521184950/https://www.beckershospitalreview.com/healthcare-information-technology/cybersecurity/ransomware-attack-exposes-27-000-arizona-health-plan-members-data-for-2-5-weeks/ |archive-date=21 May 2025 |access-date=29 March 2026 |website=beckershospitalreview.com}}</ref><ref>{{Cite web |date=26 February 2021 |title=Arizona Complete Health (AzCH) received information that one of our business partners was a victim of a cyber-attack. |url=https://www.azcompletehealth.com/newsroom/cyber-accellion.html |url-status=live |archive-url=https://web.archive.org/web/20210318182004/https://www.azcompletehealth.com/newsroom/cyber-accellion.html |archive-date=18 March 2021 |access-date=29 March 2026 |website=Arizona Complete Health}}</ref>
Arizona Complete Health released a statement on 26 February 2021, confirming that approximately 27,000 customers' addresses, dates of birth, insurance ID numbers, and medical conditions were compromised after being informed of the attack on 25 January. The company announced it would cease operation of Accellion systems, removing all related data, and provide affected customers one year of credit monitoring services.<ref>{{Cite web |last=Drees |first=Jackie |title=Ransomware attack exposes 27,000+ Arizona health plan members’ data for 2.5 weeks |url=https://www.beckershospitalreview.com/healthcare-information-technology/cybersecurity/ransomware-attack-exposes-27-000-arizona-health-plan-members-data-for-2-5-weeks/ |website=Becker's Health IT |date=18 Mar 2021 |access-date=4 Jun 2026 |url-status=live |archive-url=https://web.archive.org/web/20250521184950/https://www.beckershospitalreview.com/healthcare-information-technology/cybersecurity/ransomware-attack-exposes-27-000-arizona-health-plan-members-data-for-2-5-weeks/ |archive-date=21 May 2025}}</ref><ref>{{Cite web |author= |title=Arizona Complete Health (AzCH) received information that one of our business partners was a victim of a cyber-attack. |url=https://www.azcompletehealth.com/newsroom/cyber-accellion.html |website=Arizona Complete Health |date=26 Feb 2021 |access-date=4 Jun 2026 |url-status=live |archive-url=https://web.archive.org/web/20210318182004/https://www.azcompletehealth.com/newsroom/cyber-accellion.html |archive-date=18 March 2021}}</ref>


===Goodwin Procter===
===Goodwin Procter===
Line 72: Line 82:


===Jones Day===
===Jones Day===
The company provided little information regarding the attack, with only responding in a statement made to the Wall Street Journal that it was affected by the attack. Allegedly, there was plan to arrange an agreement between CLOP, however the company went silent, resulting in releasing information about Jones Day clients. The hacker organization CLOP responded to the company's silence;<ref>{{Cite web |date=16 February 2021 |title=Jones Day disputes claimed breach; points to hacked vendor; hacker points back to them (UPDATE2) |url=https://databreaches.net/2021/02/16/jones-day-disputes-claimed-breach-points-to-hacked-vendor-hacker-points-back-to-them/ |url-status=live |archive-url=http://web.archive.org/web/20250912012045/https://databreaches.net/2021/02/16/jones-day-disputes-claimed-breach-points-to-hacked-vendor-hacker-points-back-to-them/ |archive-date=12 September 2025 |access-date=29 March 2026 |website=DataBreaches.Net}}</ref><ref>{{Cite web |last=Koebler |first=Jason |last2=Cox |first2=Joseph |last3=Bicchierai |first3=Lorenzo |date=16 February 2021 |title=Hacker Leaks Files from Jones Day Law Firm, Which Worked on Trump Election Challenges |url=https://www.vice.com/en/article/hacker-leaks-files-from-jones-day-law-firm-which-represented-trump-in-election-challenges/ |url-status=live |archive-url=https://web.archive.org/web/20250523061551/https://www.vice.com/en/article/hacker-leaks-files-from-jones-day-law-firm-which-represented-trump-in-election-challenges/ |archive-date=23 May 2025 |access-date=29 March 2026 |website=Vice}}</ref><ref>{{Cite web |date=13 February 2021 |title=Threat actors claim to have stolen Jones Day files; law firm remains quiet |url=https://databreaches.net/2021/02/13/threat-actors-claim-to-have-stolen-jones-day-files-law-firm-remains-quiet/ |url-status=live |archive-url=http://web.archive.org/web/20251231135108/https://databreaches.net/2021/02/13/threat-actors-claim-to-have-stolen-jones-day-files-law-firm-remains-quiet/ |archive-date=31 December 2025 |access-date=29 March 2026 |website=DataBreaches.Net}}</ref><blockquote>''" we hacked their server where the Accellion was and took the data from there, we spammed all over the company and all over the contact sheet they repeatedly entered the chat and were silent"''</blockquote>
{{Wplink|Jones Day}} provided little information regarding the attack, only responding in a statement made to ''The Wall Street Journal''<ref>{{Cite web |last1=Hobbs |first1=Tawnell D. |last2=Randazzo |first2=Sara |title=Hacker Claims to Have Stolen Files Belonging to Prominent Law Firm Jones Day |url=https://www.wsj.com/tech/cybersecurity/hacker-claims-to-have-stolen-files-belonging-to-prominent-law-firm-jones-day-11613514532 |website=The Wall Street Journal. |date=16 Feb 2021 |access-date=4 June 2026 |url-status=live |archive-url=https://web.archive.org/web/20250822035905/https://www.wsj.com/tech/cybersecurity/hacker-claims-to-have-stolen-files-belonging-to-prominent-law-firm-jones-day-11613514532 |archive-date=22 Aug 2025}}</ref> that it was affected by the attack through Accellion. Allegedly, there was a plan to arrange an agreement between CLOP, however the company went silent, resulting in the releasing of information about Jones Day clients. The hacker organization CLOP responded to the company's silence;<ref>{{Cite web |author=Dissent |title=Jones Day disputes claimed breach; points to hacked vendor; hacker points back to them (UPDATE2) |url=https://databreaches.net/2021/02/16/jones-day-disputes-claimed-breach-points-to-hacked-vendor-hacker-points-back-to-them/ |website=DataBreaches.Net |date=16 Feb 2021 |access-date=4 Jun 2026 |url-status=live |archive-url=http://web.archive.org/web/20250912012045/https://databreaches.net/2021/02/16/jones-day-disputes-claimed-breach-points-to-hacked-vendor-hacker-points-back-to-them/ |archive-date=12 Sep 2025}}</ref><ref>{{Cite web |last1=Koebler |first1=Jason |last2=Cox |first2=Joseph |last3=Bicchierai |first3=Lorenzo |title=Hacker Leaks Files from Jones Day Law Firm, Which Worked on Trump Election Challenges |url=https://www.vice.com/en/article/hacker-leaks-files-from-jones-day-law-firm-which-represented-trump-in-election-challenges/ |website=Vice |date=16 Feb 2021 |access-date=29 Mar 2026 |url-status=live |archive-url=https://web.archive.org/web/20250523061551/https://www.vice.com/en/article/hacker-leaks-files-from-jones-day-law-firm-which-represented-trump-in-election-challenges/ |archive-date=23 May 2025}}</ref><ref>{{Cite web |author= |title=Threat actors claim to have stolen Jones Day files; law firm remains quiet |url=https://databreaches.net/2021/02/13/threat-actors-claim-to-have-stolen-jones-day-files-law-firm-remains-quiet/ |website=DataBreaches.Net |date=13 Feb 2021 |access-date=29 Mar 2026 |url-status=live |archive-url=http://web.archive.org/web/20251231135108/https://databreaches.net/2021/02/13/threat-actors-claim-to-have-stolen-jones-day-files-law-firm-remains-quiet/
|archive-date=31 Dec 2025}}</ref>
<blockquote>''"we hacked their server where the Accellion was and took the data from there, we spammed all over the company and all over the contact sheet they repeatedly entered the chat and were silent"''</blockquote>


===CalViva Health===
===CalViva Health===
The company sent an email to affected customers on 24 March after being informed by Accellion on 25 January. It lists customers Addresses, date of birth, insurance ID Number, and health information were compromised. The company announced discontinuation of Accellion services and gave affected customers 1 year IDX membership.<ref>{{Cite web |date=24 March 2021 |title=Notice of Data Breach |url=https://oag.ca.gov/system/files/CalViva%20-%20%20Accellion%20Breach%20Notice%20Letter.pdf |url-status=live |archive-url=https://web.archive.org/web/20251204190444/https://oag.ca.gov/system/files/CalViva%20-%20%20Accellion%20Breach%20Notice%20Letter.pdf |archive-date=4 December 2025 |access-date=29 March 2026 |website=oag.ca.gov}}</ref>   
CalViva Health sent an e-mail to affected customers on 24 March 2021 after being informed by Accellion on 25 January. It listed that customers' addresses, dates of birth, insurance ID numbers, and health information were compromised. The company announced discontinuation of Accellion services and gave affected customers one-year IDX membership.<ref>{{Cite web |author= |title=Notice of Data Breach |url=https://oag.ca.gov/system/files/CalViva%20-%20%20Accellion%20Breach%20Notice%20Letter.pdf |website=California Office of Attorney General |date=24 Mar 2021 |access-date=4 Jun 2026 |url-status=live |archive-url=https://web.archive.org/web/20251204190444/https://oag.ca.gov/system/files/CalViva%20-%20%20Accellion%20Breach%20Notice%20Letter.pdf |archive-date=4 Dec 2025 |format=PDF}}</ref>   


==Lawsuit==
==Lawsuit==
On 18 February 2021, a lawsuit was filed against Accellion for failure to secure the personal information of its customers, alleging it resulting in the plaintiffs facing years of ''"constant surveillance of their financial and personal records, monitoring, and loss of rights".''<ref>{{Cite web |last=Rizzi |first=Corrado |title=Accellion Facing Class Action Over Dec. 2020 File Transfer Service Data Breach [UPDATE] |url=https://www.classaction.org/news/accellion-facing-class-action-over-dec.-2020-file-transfer-service-data-breach |website=ClassAction.org |date=19 Feb 2021 |access-date=27 Mar 2026 |url-status=live |archive-url=http://web.archive.org/web/20260213224702/https://www.classaction.org/news/accellion-facing-class-action-over-dec.-2020-file-transfer-service-data-breach |archive-date=13 Feb 2026}}</ref><ref>{{Cite web |author= |title=''Zebelman v. Accellion, Inc.'' (5:21-cv-01203) |url=https://www.courtlistener.com/docket/59301268/zebelman-v-accellion-inc/ |website=Court Listener |date= |access-date=4 May 2026 |url-status=live |archive-url=https://web.archive.org/web/20260503050609/https://www.courtlistener.com/docket/59301268/zebelman-v-accellion-inc/ |archive-date=3 May 2026}}</ref> The case reached an $8.1 million settlement on 20 January 2022, requiring Accellion give two years of credit monitoring and insurance services and reimburse up to $10,000  or receive payment of $15 or $50 to affected individuals.<ref>{{Cite web |last=Coble |first=Sarah |title=Accellion Reaches $8.1m Data Breach Settlement |url=https://www.infosecurity-magazine.com/news/accellion-reaches-81m-data-breach/ |website=Infosecurity Magazine |date=17 Jan 2022 |access-date=26 Mar 2026 |url-status=live |archive-url=http://web.archive.org/web/20250721231918/https://www.infosecurity-magazine.com/news/accellion-reaches-81m-data-breach/ |archive-date=21 Jul 2025}}</ref><ref>{{Cite web |last=Davis |first=Jessica |title=Accellion claims no ‘guarantee’ of security in $8.1M breach settlement |url=https://www.scworld.com/analysis/accellion-reaches-8-1m-settlement-in-data-breach-lawsuit |website=ScWorld |date=14 Jan 2022 |access-date=27 Mar 2026 |url-status=live |archive-url=https://web.archive.org/web/20260416164141/https://www.scworld.com/analysis/accellion-reaches-8-1m-settlement-in-data-breach-lawsuit |archive-date=16 Apr 2026}}</ref>
On 18 February 2021, a lawsuit was filed against Accellion for failure to secure the personal information of its customers, alleging it resulted in the plaintiffs facing years of ''"constant surveillance of their financial and personal records, monitoring, and loss of rights".''<ref>{{Cite web |last=Rizzi |first=Corrado |title=Accellion Facing Class Action Over Dec. 2020 File Transfer Service Data Breach [UPDATE] |url=https://www.classaction.org/news/accellion-facing-class-action-over-dec.-2020-file-transfer-service-data-breach |website=ClassAction.org |date=19 Feb 2021 |access-date=27 Mar 2026 |url-status=live |archive-url=http://web.archive.org/web/20260213224702/https://www.classaction.org/news/accellion-facing-class-action-over-dec.-2020-file-transfer-service-data-breach |archive-date=13 Feb 2026}}</ref><ref>{{Cite web |author= |title=''Zebelman v. Accellion, Inc.'' (5:21-cv-01203) |url=https://www.courtlistener.com/docket/59301268/zebelman-v-accellion-inc/ |website=Court Listener |date= |access-date=4 May 2026 |url-status=live |archive-url=https://web.archive.org/web/20260503050609/https://www.courtlistener.com/docket/59301268/zebelman-v-accellion-inc/ |archive-date=3 May 2026}}</ref> The case reached an $8.1 million settlement on 20 January 2022, requiring Accellion give two years of credit monitoring and insurance services and reimburse up to $10,000  or receive payment of $15 or $50 to affected individuals.<ref>{{Cite web |last=Coble |first=Sarah |title=Accellion Reaches $8.1m Data Breach Settlement |url=https://www.infosecurity-magazine.com/news/accellion-reaches-81m-data-breach/ |website=Infosecurity Magazine |date=17 Jan 2022 |access-date=26 Mar 2026 |url-status=live |archive-url=http://web.archive.org/web/20250721231918/https://www.infosecurity-magazine.com/news/accellion-reaches-81m-data-breach/ |archive-date=21 Jul 2025}}</ref><ref>{{Cite web |last=Davis |first=Jessica |title=Accellion claims no ‘guarantee’ of security in $8.1M breach settlement |url=https://www.scworld.com/analysis/accellion-reaches-8-1m-settlement-in-data-breach-lawsuit |website=SC Media |date=14 Jan 2022 |access-date=27 Mar 2026 |url-status=live |archive-url=https://web.archive.org/web/20260416164141/https://www.scworld.com/analysis/accellion-reaches-8-1m-settlement-in-data-breach-lawsuit |archive-date=16 Apr 2026}}</ref>


==Consumer response==
==Consumer response==
Line 84: Line 96:


==References==
==References==
{{reflist}}
{{Reflist}}
 
[[Category:Data breaches]]
[[Category:Data breaches]]
[[Category:2020 incidents]]
Retrieved from "https://consumerrights.wiki/w/Accellion_data_breach"