Accellion data breach: Difference between revisions

Line 6:

|Type=Security

|Description=A security breach affecting over 25 companies, medical institutions and schools, resulting in over 200 customers.

}}Around Mid December in 2020, several hacker group going by the names FIN11, UNC2546, and CLOP, infiltrated Accellion ~~20 year old~~ systems, affecting over 25 companies and leaking around 200 customers personal information.

}}Around Mid December in 2020, several hacker group going by the names FIN11, UNC2546, and CLOP, infiltrated [[Accellion]] systems using [[wikipedia:SQL_injection|SQL injection,]] affecting over 25 companies and leaking around 200 customers personal information.<ref name=":0">{{Cite web |last=Burgess |first=Monica |date=31 October 2025 |title=Accellion Data Breach |url=https://www.huntress.com/threat-library/data-breach/accellion-data-breach |url-status=live |access-date=25 March 2026 |website=Huntress}}</ref>

https://~~purplesec~~.us/breach-~~report~~/accellion-~~data~~-~~breach~~/

==Background==

A financially motivated hacker group going by FIN11 has conducted malware and ransomware attacks against financial, retail, and medical related organizations since 2016.<ref>{{Cite web |last=Stark |first=Genevieve |last2=Moore |first2=Andrew |last3=Cannon |first3=Vincent |last4=Leary |first4=Jacqueline |last5=Fraser |first5=Nalani |last6=Goody |first6=Kimberly |date=14 October 2020 |title=Threat Research FIN11: Widespread Email Campaigns as Precursor for Ransomware and Data Theft |url=https://www.fireeye.com/blog/threat-research/2020/10/fin11-email-campaigns-precursor-for-ransomware-data-theft.html |url-status=live |archive-url=https://web.archive.org/web/20201017221743/https://www.fireeye.com/blog/threat-research/2020/10/fin11-email-campaigns-precursor-for-ransomware-data-theft.html |archive-date=17 October 2020 |access-date=26 March 2026 |website=Fire Eye}}</ref> It shares close ties to [[wikipedia:Clop_(hacker_group)#GoAnywhere_MFT_attack_(2023)|CLOP]], a hacker group that since 2016 has ran phishing campaigns and malware distributions<ref>{{Cite web |last=Brubaker |first=Nathan |last2=Zafra |first2=Daniel |last3=Lunden |first3=Keith |last4=Proska |first4=Ken |last5=Hildebrandt |first5=Corey |date=15 July 2020 |title=Financially Motivated Actors Are Expanding Access Into OT: Analysis of Kill Lists That Include OT Processes Used With Seven Malware Families |url=https://www.fireeye.com/blog/threat-research/2020/07/financially-motivated-actors-are-expanding-access-into-ot.html |url-status=live |archive-url=https://web.archive.org/web/20200716090918/https://www.fireeye.com/blog/threat-research/2020/07/financially-motivated-actors-are-expanding-access-into-ot.html |archive-date=16 July 2020 |access-date=26 March 2026 |website=Fire Eye}}</ref>, and UNC2546, an unknown hacker group that been shown to conduct malware attacks and SQL injection.<ref>{{Cite web |last=Ropek |first=Lucas |date=23 February 2021 |title=What We Know About the Hackers Behind the Accellion Data Breach |url=https://gizmodo.com/what-we-know-about-the-hackers-behind-the-accellion-dat-1846316990 |url-status=live |access-date=26 March 2026 |website=Gizmodo}}</ref><ref>{{Cite web |last=Stone |first=Jeff |date=22 February 2021 |title=FireEye IDs hacking group suspected in Accellion, Kroger breach |url=https://cyberscoop.com/fireeye-ids-hacking-group-suspected-in-accellion-kroger-breach/ |url-status=live |access-date=26 March 2026 |website=Cyberscoop}}</ref>

Accellion is a file sharing service provider

==The Attack==

Around Mid December, FIN11 targeted Accellion 20 year old legacy [[wikipedia:File_transfer|File Transfer Appliance]](FTA), deploying 4 [[wikipedia:Zero-day_vulnerability|zero-day-vulnerabilities]] that granted access to installation of a custom [[wikipedia:Web_shell|web shell]] named DEWMODE<ref>{{Cite web |date=23 February 2021 |title=Accellion Compromise Impacts Many Targets Including Healthcare Organizations |url=https://www.hhs.gov/sites/default/files/accellion-analyst-note.pdf |url-status=live |access-date=26 March 2026 |website=hhs.gov}}</ref>, allowing for SQL injection into Accellion systems. On 16 December, Accellion became aware of the vulnerability after a customer reported the vulnerability, and shorty after releasing a patch within 72 hours on 20 December.<ref name=":1">{{Cite web |last=Neill |first=Rob |date=3 March 2021 |title=Accellion hack: timeline clarifies when and how customers were notified |url=https://www.arnnet.com.au/article/1261917/accellion-hack-timeline-clarifies-when-and-how-customers-were-notified.html |url-status=live |access-date=26 March 2026 |website=ARN}}</ref> On 20 January 2021, hackers conducted more attacks after finding new vulnerabilities, however after the vulnerability were noticed by Accellion on 22 January, they were shortly patched three days later. <ref name=":0" /><ref name=":1" />

~~https~~:~~//www~~.~~huntress~~.~~com/threat-library/data-breach/accellion-data-breach~~

==List of responses==

[[File:Hacker group ransom demand message.png|alt=Hackers Ransom Demand Message|thumb|Hackers Ransom Demand Message ]]

After being informed of the attack, several companies decided to terminate their agreements with Accellion and reach out to potentially affected customers.

==~~Background~~==

<ref>{{Cite web |last=Panettieri |first=Joe |date=14 January 2022 |title=Accellion Vulnerabilities, Cyberattacks, Victims, Lawsuits: Customer List and Status Updates |url=https://www.msspalert.com/news/accellion-vulnerabilities-victim-list |url-status=live |access-date=26 March 2026 |website=MSSP Alert}}</ref> <ref>{{Cite web |last=Firch |first=Jason |date=14 May 2024 |title=Accellion Data Breach: What Happened & Who Was Impacted? |url=https://purplesec.us/breach-report/accellion-data-breach/ |url-status=live |access-date=26 March 2026 |website=Purplesec}}</ref>

==~~[Incident]~~==

===Singtel===

~~{{Ph-I-I}}~~

== ~~Company's response~~ ==

===Kroger===

~~Several companies~~

=== ~~Singtel~~ ===

===Qualys===

=== ~~Kroger~~ ===

===City of Toronto===

=== ~~Qualys~~ ===

===CXS===

=== ~~City of Toronto~~ ===

===Centene===

=== ~~CXS~~ ===

===Trillium===

=== ~~Centene~~ ===

===Shell===

=== ~~Trillium~~ ===

===https://web.archive.org/web/20210330165405/https://sao.wa.gov/breach2021/<nowiki/>===

=== ~~Shell~~ ===

=== University of Colorado ===

https://www.techtarget.com/searchsecurity/news/252502430/Accellion-breach-raises-notification-concerns

=== https://~~web~~.~~archive.org~~/~~web~~/~~20210330165405~~/~~https:~~//~~sao.wa.gov/breach2021/ ===~~

=== Morgan Stanley ===

https://techcrunch.com/2021/07/08/the-accellion-data-breach-continues-to-get-messier/

==Lawsuit==

{{Ph-I-L}}<ref>{{Cite web |last=Coble |first=Sarah |date=17 January 2022 |title=Accellion Reaches $8.1m Data Breach Settlement |url=https://www.infosecurity-magazine.com/news/accellion-reaches-81m-data-breach/ |url-status=live |access-date=26 March 2026 |website=Infosecurity Magazine}}</ref> https://www.scworld.com/analysis/accellion-reaches-8-1m-settlement-in-data-breach-lawsuit

==Consumer response==

==References==

~~{{Ph-I-C}}~~

[[Category:Data breaches]]

@@ Line 6: / Line 6: @@
 |Type=Security
 |Description=A security breach affecting over 25 companies, medical institutions and schools, resulting in over 200 customers.
-}}Around Mid December in 2020, several hacker group going by the names FIN11, UNC2546, and CLOP, infiltrated Accellion 20 year old systems, affecting over 25 companies and leaking around 200 customers personal information.
+}}Around Mid December in 2020, several hacker group going by the names FIN11, UNC2546, and CLOP, infiltrated [[Accellion]] systems using [[wikipedia:SQL_injection|SQL injection,]] affecting over 25 companies and leaking around 200 customers personal information.<ref name=":0">{{Cite web |last=Burgess |first=Monica |date=31 October 2025 |title=Accellion Data Breach |url=https://www.huntress.com/threat-library/data-breach/accellion-data-breach |url-status=live |access-date=25 March 2026 |website=Huntress}}</ref>
-https://purplesec.us/breach-report/accellion-data-breach/
+==Background==
+A financially motivated hacker group going by FIN11 has conducted malware and ransomware attacks against financial, retail, and medical related organizations since 2016.<ref>{{Cite web |last=Stark |first=Genevieve |last2=Moore |first2=Andrew |last3=Cannon |first3=Vincent |last4=Leary |first4=Jacqueline |last5=Fraser |first5=Nalani |last6=Goody |first6=Kimberly |date=14 October 2020 |title=Threat Research FIN11: Widespread Email Campaigns as Precursor for Ransomware and Data Theft |url=https://www.fireeye.com/blog/threat-research/2020/10/fin11-email-campaigns-precursor-for-ransomware-data-theft.html |url-status=live |archive-url=https://web.archive.org/web/20201017221743/https://www.fireeye.com/blog/threat-research/2020/10/fin11-email-campaigns-precursor-for-ransomware-data-theft.html |archive-date=17 October 2020 |access-date=26 March 2026 |website=Fire Eye}}</ref> It shares close ties to [[wikipedia:Clop_(hacker_group)#GoAnywhere_MFT_attack_(2023)|CLOP]], a hacker group that since 2016 has ran phishing campaigns and malware distributions<ref>{{Cite web |last=Brubaker |first=Nathan |last2=Zafra |first2=Daniel |last3=Lunden |first3=Keith |last4=Proska |first4=Ken |last5=Hildebrandt |first5=Corey |date=15 July 2020 |title=Financially Motivated Actors Are Expanding Access Into OT: Analysis of Kill Lists That Include OT Processes Used With Seven Malware Families |url=https://www.fireeye.com/blog/threat-research/2020/07/financially-motivated-actors-are-expanding-access-into-ot.html |url-status=live |archive-url=https://web.archive.org/web/20200716090918/https://www.fireeye.com/blog/threat-research/2020/07/financially-motivated-actors-are-expanding-access-into-ot.html |archive-date=16 July 2020 |access-date=26 March 2026 |website=Fire Eye}}</ref>,   and UNC2546, an unknown hacker group that been shown to conduct malware attacks and SQL injection.<ref>{{Cite web |last=Ropek |first=Lucas |date=23 February 2021 |title=What We Know About the Hackers Behind the Accellion Data Breach |url=https://gizmodo.com/what-we-know-about-the-hackers-behind-the-accellion-dat-1846316990 |url-status=live |access-date=26 March 2026 |website=Gizmodo}}</ref><ref>{{Cite web |last=Stone |first=Jeff |date=22 February 2021 |title=FireEye IDs hacking group suspected in Accellion, Kroger breach |url=https://cyberscoop.com/fireeye-ids-hacking-group-suspected-in-accellion-kroger-breach/ |url-status=live |access-date=26 March 2026 |website=Cyberscoop}}</ref>
+Accellion is a file sharing service provider
+==The Attack==
+Around Mid December, FIN11 targeted Accellion 20 year old legacy [[wikipedia:File_transfer|File Transfer Appliance]](FTA), deploying 4  [[wikipedia:Zero-day_vulnerability|zero-day-vulnerabilities]] that granted access to installation of a custom [[wikipedia:Web_shell|web shell]] named DEWMODE<ref>{{Cite web |date=23 February 2021 |title=Accellion Compromise Impacts Many Targets Including Healthcare Organizations |url=https://www.hhs.gov/sites/default/files/accellion-analyst-note.pdf |url-status=live |access-date=26 March 2026 |website=hhs.gov}}</ref>, allowing for SQL injection into Accellion systems.  On 16  December, Accellion became aware of the vulnerability after a customer reported the vulnerability, and shorty after releasing a patch within 72 hours on 20 December.<ref name=":1">{{Cite web |last=Neill |first=Rob |date=3 March 2021 |title=Accellion hack: timeline clarifies when and how customers were notified |url=https://www.arnnet.com.au/article/1261917/accellion-hack-timeline-clarifies-when-and-how-customers-were-notified.html |url-status=live |access-date=26 March 2026 |website=ARN}}</ref> On 20 January 2021, hackers conducted more attacks after finding new vulnerabilities, however after the vulnerability were noticed by Accellion on 22 January, they were shortly patched three days later. <ref name=":0" /><ref name=":1" />
-https://www.huntress.com/threat-library/data-breach/accellion-data-breach
+==List of responses==
+[[File:Hacker group ransom demand message.png|alt=Hackers Ransom Demand Message|thumb|Hackers Ransom Demand Message ]]
+After being informed of the attack, several companies decided to terminate their agreements with Accellion and reach out to potentially affected customers.
-==Background==
+<ref>{{Cite web |last=Panettieri |first=Joe |date=14 January 2022 |title=Accellion Vulnerabilities, Cyberattacks, Victims, Lawsuits: Customer List and Status Updates |url=https://www.msspalert.com/news/accellion-vulnerabilities-victim-list |url-status=live |access-date=26 March 2026 |website=MSSP Alert}}</ref> <ref>{{Cite web |last=Firch |first=Jason |date=14 May 2024 |title=Accellion Data Breach: What Happened & Who Was Impacted? |url=https://purplesec.us/breach-report/accellion-data-breach/ |url-status=live |access-date=26 March 2026 |website=Purplesec}}</ref>
-==[Incident]==
+===Singtel===
-{{Ph-I-I}}
-== Company's response ==
+===Kroger===
-Several companies
-=== Singtel ===
+===Qualys===
-=== Kroger ===
+===City of Toronto===
-=== Qualys ===
+===CXS===
-=== City of Toronto ===
+===Centene===
-=== CXS ===
+===Trillium===
-=== Centene ===
+===Shell===
-=== Trillium ===
+===https://web.archive.org/web/20210330165405/https://sao.wa.gov/breach2021/<nowiki/>===
-=== Shell ===
+=== University of Colorado ===
+https://www.techtarget.com/searchsecurity/news/252502430/Accellion-breach-raises-notification-concerns
-=== https://web.archive.org/web/20210330165405/https://sao.wa.gov/breach2021/ ===
+=== Morgan Stanley ===
+https://techcrunch.com/2021/07/08/the-accellion-data-breach-continues-to-get-messier/
 ==Lawsuit==
-{{Ph-I-L}}
+{{Ph-I-L}}<ref>{{Cite web |last=Coble |first=Sarah |date=17 January 2022 |title=Accellion Reaches $8.1m Data Breach Settlement |url=https://www.infosecurity-magazine.com/news/accellion-reaches-81m-data-breach/ |url-status=live |access-date=26 March 2026 |website=Infosecurity Magazine}}</ref> https://www.scworld.com/analysis/accellion-reaches-8-1m-settlement-in-data-breach-lawsuit
 ==Consumer response==
 {{Ph-I-ConR}}
 ==References==
 {{reflist}}
-{{Ph-I-C}}
 [[Category:Data breaches]]