Accellion data breach: Difference between revisions
removing employee related incidents |
added and remove incidents |
||
| Line 6: | Line 6: | ||
|Type=Security | |Type=Security | ||
|Description=A security breach affecting over 25 companies, medical institutions and schools, resulting in over 200 customers. | |Description=A security breach affecting over 25 companies, medical institutions and schools, resulting in over 200 customers. | ||
}}Around Mid December in 2020, several hacker group going by the names FIN11, UNC2546, and CLOP, infiltrated [[Accellion]] systems using [[wikipedia:SQL_injection|SQL injection,]] affecting | }}Around Mid December in 2020, several hacker group going by the names FIN11, UNC2546, and CLOP, infiltrated [[wikipedia:Kiteworks|Accellion]] systems using [[wikipedia:SQL_injection|SQL injection,]] affecting organizations delving to various aspects of education, medicine, and finance, leaking over 200 customers and employees personal information.<ref name=":0">{{Cite web |last=Burgess |first=Monica |date=31 October 2025 |title=Accellion Data Breach |url=https://www.huntress.com/threat-library/data-breach/accellion-data-breach |url-status=live |access-date=25 March 2026 |website=Huntress}}</ref> This later turn into a lawsuit that reached a $8.1 million settlement. | ||
==Background== | ==Background== | ||
A financially motivated hacker group going by FIN11 has conducted malware and ransomware attacks against financial, retail, and medical related organizations since 2016.<ref>{{Cite web |last=Stark |first=Genevieve |last2=Moore |first2=Andrew |last3=Cannon |first3=Vincent |last4=Leary |first4=Jacqueline |last5=Fraser |first5=Nalani |last6=Goody |first6=Kimberly |date=14 October 2020 |title=Threat Research FIN11: Widespread Email Campaigns as Precursor for Ransomware and Data Theft |url=https://www.fireeye.com/blog/threat-research/2020/10/fin11-email-campaigns-precursor-for-ransomware-data-theft.html |url-status=live |archive-url=https://web.archive.org/web/20201017221743/https://www.fireeye.com/blog/threat-research/2020/10/fin11-email-campaigns-precursor-for-ransomware-data-theft.html |archive-date=17 October 2020 |access-date=26 March 2026 |website=Fire Eye}}</ref> It shares close ties to [[wikipedia:Clop_(hacker_group)#GoAnywhere_MFT_attack_(2023)|CLOP]], a hacker group that since 2016 has ran phishing campaigns and malware distributions<ref>{{Cite web |last=Brubaker |first=Nathan |last2=Zafra |first2=Daniel |last3=Lunden |first3=Keith |last4=Proska |first4=Ken |last5=Hildebrandt |first5=Corey |date=15 July 2020 |title=Financially Motivated Actors Are Expanding Access Into OT: Analysis of Kill Lists That Include OT Processes Used With Seven Malware Families |url=https://www.fireeye.com/blog/threat-research/2020/07/financially-motivated-actors-are-expanding-access-into-ot.html |url-status=live |archive-url=https://web.archive.org/web/20200716090918/https://www.fireeye.com/blog/threat-research/2020/07/financially-motivated-actors-are-expanding-access-into-ot.html |archive-date=16 July 2020 |access-date=26 March 2026 |website=Fire Eye}}</ref>, and UNC2546, an unknown hacker group that been shown to conduct malware attacks and SQL injection.<ref>{{Cite web |last=Ropek |first=Lucas |date=23 February 2021 |title=What We Know About the Hackers Behind the Accellion Data Breach |url=https://gizmodo.com/what-we-know-about-the-hackers-behind-the-accellion-dat-1846316990 |url-status=live |access-date=26 March 2026 |website=Gizmodo}}</ref><ref>{{Cite web |last=Stone |first=Jeff |date=22 February 2021 |title=FireEye IDs hacking group suspected in Accellion, Kroger breach |url=https://cyberscoop.com/fireeye-ids-hacking-group-suspected-in-accellion-kroger-breach/ |url-status=live |access-date=26 March 2026 |website=Cyberscoop}}</ref> | A financially motivated hacker group going by FIN11 has conducted malware and ransomware attacks against financial, retail, and medical related organizations since 2016.<ref>{{Cite web |last=Stark |first=Genevieve |last2=Moore |first2=Andrew |last3=Cannon |first3=Vincent |last4=Leary |first4=Jacqueline |last5=Fraser |first5=Nalani |last6=Goody |first6=Kimberly |date=14 October 2020 |title=Threat Research FIN11: Widespread Email Campaigns as Precursor for Ransomware and Data Theft |url=https://www.fireeye.com/blog/threat-research/2020/10/fin11-email-campaigns-precursor-for-ransomware-data-theft.html |url-status=live |archive-url=https://web.archive.org/web/20201017221743/https://www.fireeye.com/blog/threat-research/2020/10/fin11-email-campaigns-precursor-for-ransomware-data-theft.html |archive-date=17 October 2020 |access-date=26 March 2026 |website=Fire Eye}}</ref> It shares close ties to [[wikipedia:Clop_(hacker_group)#GoAnywhere_MFT_attack_(2023)|CLOP]], a hacker group that since 2016 has ran phishing campaigns and malware distributions<ref>{{Cite web |last=Brubaker |first=Nathan |last2=Zafra |first2=Daniel |last3=Lunden |first3=Keith |last4=Proska |first4=Ken |last5=Hildebrandt |first5=Corey |date=15 July 2020 |title=Financially Motivated Actors Are Expanding Access Into OT: Analysis of Kill Lists That Include OT Processes Used With Seven Malware Families |url=https://www.fireeye.com/blog/threat-research/2020/07/financially-motivated-actors-are-expanding-access-into-ot.html |url-status=live |archive-url=https://web.archive.org/web/20200716090918/https://www.fireeye.com/blog/threat-research/2020/07/financially-motivated-actors-are-expanding-access-into-ot.html |archive-date=16 July 2020 |access-date=26 March 2026 |website=Fire Eye}}</ref>, and UNC2546, an unknown hacker group that been shown to conduct malware attacks and SQL injection.<ref>{{Cite web |last=Ropek |first=Lucas |date=23 February 2021 |title=What We Know About the Hackers Behind the Accellion Data Breach |url=https://gizmodo.com/what-we-know-about-the-hackers-behind-the-accellion-dat-1846316990 |url-status=live |access-date=26 March 2026 |website=Gizmodo}}</ref><ref>{{Cite web |last=Stone |first=Jeff |date=22 February 2021 |title=FireEye IDs hacking group suspected in Accellion, Kroger breach |url=https://cyberscoop.com/fireeye-ids-hacking-group-suspected-in-accellion-kroger-breach/ |url-status=live |access-date=26 March 2026 |website=Cyberscoop}}</ref> | ||
Accellion is a file sharing service provider. | Founded in 1999, Accellion is a file sharing service provider that later rebranded into Kiteworks. | ||
==The Attack== | ==The Attack== | ||
| Line 17: | Line 17: | ||
[[File:Hacker group last warning message.png|thumb|Hacker group last warning message]] | [[File:Hacker group last warning message.png|thumb|Hacker group last warning message]] | ||
==List of responses from affected organizations== | ==List of responses from affected organizations <!-- This contains only companies having any resemblance to consumers -->== | ||
Companies began being informed of the breach around January through March, later releasing statments about the incident. Several companies decided to terminate their agreements with Accellion and collaborate with law enforcement and other companies, while also reach out to potentially affected customers. <ref>{{Cite web |last=Panettieri |first=Joe |date=14 January 2022 |title=Accellion Vulnerabilities, Cyberattacks, Victims, Lawsuits: Customer List and Status Updates |url=https://www.msspalert.com/news/accellion-vulnerabilities-victim-list |url-status=live |access-date=26 March 2026 |website=MSSP Alert}}</ref> <ref>{{Cite web |last=Firch |first=Jason |date=14 May 2024 |title=Accellion Data Breach: What Happened & Who Was Impacted? |url=https://purplesec.us/breach-report/accellion-data-breach/ |url-status=live |access-date=26 March 2026 |website=Purplesec}}</ref> | |||
===Singtel=== | ===Singtel=== | ||
| Line 24: | Line 24: | ||
===Kroger=== | ===Kroger=== | ||
On 23 January, Kroger was notified of the vulnerability after being informed by Accellion, resulting in the company conducting an investigation. Around February, Kroger issued a statement that sought discontinuation of Accellion systems as well as mention 1% of customers had pharmacy records, money services being affected in the attack. Additionally, it highlighted plans to inform affected consumers.<ref>{{Cite web |date=25 March 2026 |title=Information About the Accellion Incident |url=https://www.kroger.com/i/accellion-incident |url-status=dead |archive-url=https://web.archive.org/web/20210219235325/https://www.kroger.com/i/accellion-incident |archive-date=19 February 2021 |access-date=25 March 2026 |website=Kroger}}</ref> | On 23 January, [[Kroger]] was notified of the vulnerability after being informed by Accellion, resulting in the company conducting an investigation. Around February, Kroger issued a statement that sought discontinuation of Accellion systems as well as mention 1% of customers had pharmacy records, money services being affected in the attack. Additionally, it highlighted plans to inform affected consumers.<ref>{{Cite web |date=25 March 2026 |title=Information About the Accellion Incident |url=https://www.kroger.com/i/accellion-incident |url-status=dead |archive-url=https://web.archive.org/web/20210219235325/https://www.kroger.com/i/accellion-incident |archive-date=19 February 2021 |access-date=25 March 2026 |website=Kroger}}</ref> | ||
===Qualys=== | ===Qualys=== | ||
| Line 32: | Line 32: | ||
On 22 January, the city was first alerted of the incident by unknown sources, however the city issued a response on April 2021.<ref>{{Cite web |date=30 April 2021 |title=Toronto hit by ‘potential cyber breach’ from Accellion file transfer software |url=https://databreaches.net/2021/04/30/toronto-hit-by-potential-cyber-breach-from-accellion-file-transfer-software/ |url-status=live |access-date=27 March 2026 |website=Databreaches.net}}</ref> When asked, a spokesperson responded by claiming "“It takes time to reach any sort of conclusion in view of the legacy system that was breached and the extent of investigation required." it was reported that around 35,000 citizens information was affected in the attack, however the city didn't receive a ransom email, leading to some speculation in the community of the meaning of the silence.<ref>{{Cite web |last=Woodward |first=Jon |date=30 December 2021 |title=Toronto feared 35,000 citizens' data would be made public after cyberattack: documents |url=https://www.ctvnews.ca/toronto/article/toronto-feared-35000-citizens-data-would-be-made-public-after-cyberattack-documents/ |url-status=live |access-date=26 March 2026 |website=CTV News}}</ref><ref>{{Cite web |last=Adriano |first=Lyle |date=3 May 2021 |title=Toronto reveals potential cyber breach |url=https://www.insurancebusinessmag.com/ca/news/cyber/toronto-reveals-potential-cyber-breach-253921.aspx |url-status=live |access-date=26 March 2026 |website=Insurance Business}}</ref> | On 22 January, the city was first alerted of the incident by unknown sources, however the city issued a response on April 2021.<ref>{{Cite web |date=30 April 2021 |title=Toronto hit by ‘potential cyber breach’ from Accellion file transfer software |url=https://databreaches.net/2021/04/30/toronto-hit-by-potential-cyber-breach-from-accellion-file-transfer-software/ |url-status=live |access-date=27 March 2026 |website=Databreaches.net}}</ref> When asked, a spokesperson responded by claiming "“It takes time to reach any sort of conclusion in view of the legacy system that was breached and the extent of investigation required." it was reported that around 35,000 citizens information was affected in the attack, however the city didn't receive a ransom email, leading to some speculation in the community of the meaning of the silence.<ref>{{Cite web |last=Woodward |first=Jon |date=30 December 2021 |title=Toronto feared 35,000 citizens' data would be made public after cyberattack: documents |url=https://www.ctvnews.ca/toronto/article/toronto-feared-35000-citizens-data-would-be-made-public-after-cyberattack-documents/ |url-status=live |access-date=26 March 2026 |website=CTV News}}</ref><ref>{{Cite web |last=Adriano |first=Lyle |date=3 May 2021 |title=Toronto reveals potential cyber breach |url=https://www.insurancebusinessmag.com/ca/news/cyber/toronto-reveals-potential-cyber-breach-253921.aspx |url-status=live |access-date=26 March 2026 |website=Insurance Business}}</ref> | ||
===CXS=== | === CXS === | ||
On 02 May, CXS made a statement highlighting the incident only leaking current and past employees personal information. The company didn't provide much details surrounding the incident in regards to customers or specific type of information, only saying “''To date, this incident has had no impact on business operations or our ability to serve our customers''".<ref>{{Cite web |date=2 March 2021 |title=CSX probes ‘security incident’ as hackers leak data |url=https://www.freightwaves.com/news/csx-probes-security-incident-as-hackers-leak-data |url-status=live |access-date=27 March 2026 |website=Freightwaves}}</ref><ref>{{Cite web |last=Lester |first=David |date=3 March 2021 |title=CSX suffers data exposure by hackers |url=https://www.rtands.com/freight/csx-suffers-data-exposure-by-hackers/ |url-status=live |access-date=26 March 2026 |website=RT&S}}</ref> | On 02 May, CXS made a statement highlighting the incident only leaking current and past employees personal information. The company didn't provide much details surrounding the incident in regards to customers or specific type of information, only saying “''To date, this incident has had no impact on business operations or our ability to serve our customers''".<ref>{{Cite web |date=2 March 2021 |title=CSX probes ‘security incident’ as hackers leak data |url=https://www.freightwaves.com/news/csx-probes-security-incident-as-hackers-leak-data |url-status=live |access-date=27 March 2026 |website=Freightwaves}}</ref><ref>{{Cite web |last=Lester |first=David |date=3 March 2021 |title=CSX suffers data exposure by hackers |url=https://www.rtands.com/freight/csx-suffers-data-exposure-by-hackers/ |url-status=live |access-date=26 March 2026 |website=RT&S}}</ref> | ||
===Centene | ===Centene=== | ||
{{Incomplete section}} | {{Incomplete section}} | ||
===Trillium=== | ===Trillium=== | ||
The Company became aware of the attack on 25 January, and a month later released a statement, declaring customers address, date of birth, insurance ID number, and health information has been leaked and posted online. As compensation, the company gave 1 year credit monitoring and identity theft protection services to affected customers on 26 February.<ref>{{Cite web |date=7 March 2021 |title=Trillium Community Health Plan members impacted by Accellion breach |url=https://databreaches.net/2021/03/07/trillium-community-health-plan-members-impacted-by-accellion-breach/ |url-status=live |access-date=27 March 2026 |website=databreaches.net}}</ref> The company discussed plans to move and remove all data from Accellion systems, review files and sharing data practices.<ref>{{Cite web |date=25 February 2021 |title=Trillium vendor reports a Data Security Incident |url=https://www.trilliumohp.com/newsroom/trillium-vendor-reports-a-data-security-incident.html |url-status=live |archive-url=https://web.archive.org/web/20260214042648/https://www.trilliumohp.com/newsroom/trillium-vendor-reports-a-data-security-incident.html |archive-date=14 February 2026 |access-date=27 March 2026 |website=Trillium}}</ref> | The Company became aware of the attack on 25 January, and a month later released a statement, declaring customers address, date of birth, insurance ID number, and health information has been leaked and posted online. As compensation, the company gave 1 year credit monitoring and identity theft protection services to affected customers on 26 February.<ref>{{Cite web |date=7 March 2021 |title=Trillium Community Health Plan members impacted by Accellion breach |url=https://databreaches.net/2021/03/07/trillium-community-health-plan-members-impacted-by-accellion-breach/ |url-status=live |access-date=27 March 2026 |website=databreaches.net}}</ref> The company discussed plans to move and remove all data from Accellion systems, review files and sharing data practices.<ref>{{Cite web |date=25 February 2021 |title=Trillium vendor reports a Data Security Incident |url=https://www.trilliumohp.com/newsroom/trillium-vendor-reports-a-data-security-incident.html |url-status=live |archive-url=https://web.archive.org/web/20260214042648/https://www.trilliumohp.com/newsroom/trillium-vendor-reports-a-data-security-incident.html |archive-date=14 February 2026 |access-date=27 March 2026 |website=Trillium}}</ref> | ||
===Morgan Stanley=== | ===Morgan Stanley=== | ||
[[wikipedia:Morgan_Stanley|Morgan Stanely]] third party vendor Guidehouse, a company that delivers account maintenance services, notified Morgan Stanely of the breach on 20 May 2021 after discovering the breach in March and finding information containing names, addresses, date of birth and social security numbers about Morgan Stanely clients in March.<ref>{{Cite web |last=Gatlan |first=Sergiu |date=8 July 2021 |title=Morgan Stanley reports data breach after vendor Accellion hack |url=https://www.bleepingcomputer.com/news/security/morgan-stanley-reports-data-breach-after-vendor-accellion-hack/ |url-status=live |access-date=27 March 2026 |website=BleepingComputer}}</ref><ref>{{Cite web |last=Goodin |first=Dan |date=8 July 2021 |title=Morgan Stanley discloses data breach that resulted from Accellion FTA hacks |url=https://arstechnica.com/gadgets/2021/07/morgan-stanley-discloses-data-breach-that-resulted-from-accellion-fta-hacks/ |url-status=live |access-date=27 March 2026 |website=Arstechnica}}</ref><ref>{{Cite web |last=Paganini |first=Pierluigi |date=8 July 2021 |title=Morgan Stanley discloses data breach after the hack of a third-party vendor |url=https://securityaffairs.com/119865/data-breach/morgan-stanley-data-breach.html |url-status=live |access-date=27 March 2026 |website=SecurityAffairs}}</ref> Morgan Stanley sent emails to affected victims on 08 June and later on 02 July, sending a email to the attorney general office located in concord informing them of the attack.<ref>{{Cite web |last=Gatlan |first=Sergiu |date=8 July 2021 |title=morgan-stanley-bc-20210702 |url=https://www.documentcloud.org/documents/20985259-morgan-stanley-bc-20210702/ |url-status=live |access-date=28 March 2026 |website=DocumentCloud}}</ref> | |||
https://www.bleepingcomputer.com/news/security/morgan-stanley-reports-data-breach-after-vendor-accellion-hack/ | |||
https://arstechnica.com/gadgets/2021/07/morgan-stanley-discloses-data-breach-that-resulted-from-accellion-fta-hacks/ | |||
=== | |||
=== | |||
=== | |||
===HealthNet=== | ===HealthNet=== | ||
On 24 March, [[wikipedia:Health_Net|Healthnet]], an American health care insurance provider, released a statement that declared customers addresses, date of birth, insurance ID number, and health information such as medical conditions and treatment information, was compromised. The company stated it started collaraborationg with law enforcement and cease operation of Accellion services.<ref>{{Cite web |date=24 March 2021 |title=Health Net received information that one of our business partners was a victim of a cyber-attack |url=https://www.healthnet.com/content/healthnet/en_us/news-center/news-releases/cyber-accellion.html |url-status=live |archive-url=https://web.archive.org/web/20210406205107/https://www.healthnet.com/content/healthnet/en_us/news-center/news-releases/cyber-accellion.html |archive-date=6 April 2021 |access-date=28 March 2026 |website=Health Net}}</ref> | |||
=== | |||
===The Reserve Bank of New Zealand=== | ===The Reserve Bank of New Zealand=== | ||
{{Incomplete section}} | |||
https://web.archive.org/web/20210111063645/https://www.rbnz.govt.nz/news/2021/01/reserve-bank-response-to-illegal-breach-of-data-system | |||
https://web.archive.org/web/20210115022125/https://www.rbnz.govt.nz/our-response-to-data-breach<nowiki/>' | |||
https://www.interest.co.nz/banking/109058/reserve-banks-says-it-working-directly-stakeholders-determine-how-many-people-have | |||
https://www.bankinfosecurity.com/reserve-bank-new-zealand-investigates-data-breach-a-15737 | |||
===Flagstar Bank=== | ===Flagstar Bank=== | ||
Around March, Flagstar bank posted a post on its website alerting users that its been apart in a cybersecurity attack relating to one of their vendors Accellion. The company declared discontinuation of Accellion services and creating a calling center for affected individuals.<ref>{{Cite web |date=28 March 2026 |title=Accellion Incident Information Center |url=https://www.flagstar.com/customer-support/accellion-information-center.html |url-status=live |archive-url=https://web.archive.org/web/20210308111846/https://www.flagstar.com/customer-support/accellion-information-center.html |archive-date=8 March 2021 |access-date=28 March 2026 |website=Flagstar Bank}}</ref> | |||
===Trinity Health=== | ===Trinity Health=== | ||
On 05 April, Trinity Health would declare customers personal and medical information was access and leaked online. The company announced plans to inform affected customers and create a headline to affected customers.<ref>{{Cite web |date=5 April 2021 |title=Trinity Health Announces Response to Accellion Data Event |url=https://www.prnewswire.com/news-releases/trinity-health-announces-response-to-accellion-data-event-301262364.html |url-status=live |access-date=28 March 2026 |website=Trinity Health}}</ref><blockquote>Trinity Health determined file(s) were present on the appliance at the time of this event. The files contained certain protected health information, including a combination of demographic, clinical and financial information such as your name, address, email, date of birth, healthcare provider, dates and types of health care services, medical record number, immunization type, lab results, medications, payment, payer name, and claims information. The confidential information of a very small number of impacted individuals included a social security number or credit card number.</blockquote> | |||
=== | |||
===California Health & Wellness=== | ===California Health & Wellness=== | ||
| Line 85: | Line 69: | ||
===Jones Day=== | ===Jones Day=== | ||
===CalViva Health=== | ===CalViva Health=== | ||