Accellion data breach: Difference between revisions

Line 6:

|Type=Security

|Description=A security breach affecting over 25 companies, medical institutions and schools, resulting in over 200 customers.

}}Around Mid December in 2020, several hacker group going by the names FIN11, UNC2546, and CLOP, infiltrated [[wikipedia:Kiteworks|Accellion]] systems using [[wikipedia:SQL_injection|SQL injection,]] affecting organizations delving to various aspects of education, medicine, and finance, leaking over ~~200~~ customers and employees personal information.<ref name=":0">{{Cite web |last=Burgess |first=Monica |date=31 October 2025 |title=Accellion Data Breach |url=https://www.huntress.com/threat-library/data-breach/accellion-data-breach |url-status=live |access-date=25 March 2026 |website=Huntress}}</ref> This later turn into a lawsuit that reached a $8.1 million settlement.

}}Around Mid December in 2020, several hacker group going by the names FIN11, UNC2546, and CLOP, infiltrated [[wikipedia:Kiteworks|Accellion]] systems using [[wikipedia:SQL_injection|SQL injection,]] affecting organizations delving to various aspects of education, medicine, and finance, leaking over 9 million customers and employees personal information.<ref name=":0">{{Cite web |last=Burgess |first=Monica |date=31 October 2025 |title=Accellion Data Breach |url=https://www.huntress.com/threat-library/data-breach/accellion-data-breach |url-status=live |access-date=25 March 2026 |website=Huntress}}</ref> This later turn into a lawsuit that reached a $8.1 million settlement on 20 January 2022.

==Background==

Line 23:

In 11 February 2021, Singtel released a statement announcing a investigation in collaborations with security experts and Cyber Security Agency of Singapore and made plans to cease operation of Accellion systems.<ref>{{Cite web |date=11 February 2021 |title=Media Statement relating to Accellion’s FTA Security Incident |url=https://www.singtel.com/about-us/media-centre/news-releases/media-statement-relating-to-accellion-fta-security-incident |url-status=live |access-date=27 March 2026 |website=Singtel}}</ref> On 17 February, Singtel released another statement detailing the results of their investigation, concluding that around 129,000 customers name, date of birth, mobile number, and home address was leaked, along with employees and staff financial information. The company highlighted plans to contact affected customers, and issuing an apology.<ref>{{Cite web |date=17 February 2021 |title=Singtel addresses data breach, moves to support affected stakeholders |url=https://www.singtel.com/about-us/media-centre/news-releases/singtel-addresses-data-breach-moves-to-support-affected-stakeholders |url-status=live |archive-url=https://web.archive.org/web/20260116181632mp_/https://www.singtel.com/about-us/media-centre/news-releases/singtel-addresses-data-breach-moves-to-support-affected-stakeholders |archive-date=16 January 2026 |access-date=26 March 2026 |website=Singtel}}</ref> <blockquote>''"While this data theft was committed by unknown parties, I’m very sorry this has happened to our customers and apologise unreservedly to everyone impacted. Data privacy is paramount, we have disappointed our stakeholders and not met the standards we have set for ourselves"''</blockquote>

===Kroger===

===[[Kroger]]===

On 23 January, [[Kroger]] was notified of the vulnerability after being informed by Accellion, resulting in the company conducting an investigation. Around February, Kroger issued a statement that sought discontinuation of Accellion systems as well as mention 1% of customers had pharmacy records, money services being affected in the attack. Additionally, it highlighted plans to inform affected consumers.<ref>{{Cite web |date=25 March 2026 |title=Information About the Accellion Incident |url=https://www.kroger.com/i/accellion-incident |url-status=dead |archive-url=https://web.archive.org/web/20210219235325/https://www.kroger.com/i/accellion-incident |archive-date=19 February 2021 |access-date=25 March 2026 |website=Kroger}}</ref>

Line 74:

The company provided little information regarding the attack, with only responding in a statement made to the Wall Street Journal that it was affected by the attack. Allegedly, there was plan to arrange an agreement between CLOP, however the company went silent, resulting in releasing information about Jones Day clients. The hacker organization CLOP responded to the company's silence;<ref>{{Cite web |date=16 February 2021 |title=Jones Day disputes claimed breach; points to hacked vendor; hacker points back to them (UPDATE2) |url=https://databreaches.net/2021/02/16/jones-day-disputes-claimed-breach-points-to-hacked-vendor-hacker-points-back-to-them/ |url-status=live |access-date=29 March 2026 |website=DataBreaches.net}}</ref><ref>{{Cite web |last=Koebler |first=Jason |last2=Cox |first2=Joseph |last3=Bicchierai |first3=Lorenzo |date=16 February 2021 |title=Hacker Leaks Files from Jones Day Law Firm, Which Worked on Trump Election Challenges |url=https://www.vice.com/en/article/hacker-leaks-files-from-jones-day-law-firm-which-represented-trump-in-election-challenges/ |url-status=live |access-date=29 March 2026 |website=Vice}}</ref><ref>{{Cite web |date=13 February 2021 |title=Threat actors claim to have stolen Jones Day files; law firm remains quiet |url=https://databreaches.net/2021/02/13/threat-actors-claim-to-have-stolen-jones-day-files-law-firm-remains-quiet/ |url-status=live |access-date=29 March 2026 |website=DataBreaches.net}}</ref><blockquote>''" we hacked their server where the Accellion was and took the data from there, we spammed all over the company and all over the contact sheet they repeatedly entered the chat and were silent"''</blockquote>

=== CalViva Health ===

===CalViva Health===

The company sent an email to affected customers on 24 March after being informed by Accellion on 25 January. It lists customers Addresses, date of birth, insurance ID Number, and health information were compromised. The company announced discontinuation of Accellion services and gave affected customers 1 year IDX membership.<ref>{{Cite web |date=24 March 2021 |title=Notice of Data Breach |url=https://oag.ca.gov/system/files/CalViva%20-%20%20Accellion%20Breach%20Notice%20Letter.pdf |url-status=live |access-date=29 March 2026 |website=oag.ca.gov}}</ref>

==Lawsuit==

{{Ph-I-L}}<ref>{{Cite web |last=Coble |first=Sarah |date=17 January 2022 |title=Accellion Reaches $8.1m Data Breach Settlement |url=https://www.infosecurity-magazine.com/news/accellion-reaches-81m-data-breach/ |url-status=live |access-date=26 March 2026 |website=Infosecurity Magazine}}</ref> https://www.scworld.com/analysis/accellion-reaches-8-1m-settlement-in-data-breach-lawsuit

On 18 February 2021, a lawsuit was filed against Accellion for failure to secure personal information of its customers, alleging it resulting in the plaintiffs facing years of ''"constant surveillance of their financial and personal records, monitoring, and loss of rights".''<ref>{{Cite web |last=Rizzi |first=Corrado |date=19 February 2021 |title=Accellion Facing Class Action Over Dec. 2020 File Transfer Service Data Breach [UPDATE] |url=https://www.classaction.org/news/accellion-facing-class-action-over-dec.-2020-file-transfer-service-data-breach |url-status=live |access-date=27 March 2026 |website=ClassAction}}</ref><ref>{{Cite web |date=29 March 2026 |title=Zebelman v. Accellion, Inc. |url=https://dockets.justia.com/docket/california/candce/5:2021cv01203/373802 |url-status=live |access-date=29 March 2026 |website=Justia U.S Law}}</ref> The case reached a $8.1 million settlement on 20 January 2022, requiring Accellion give 2 years of credit monitoring and insurance services and reimburse up to $10,000 or receive payment of $15 or $50 to affected individuals.<ref>{{Cite web |last=Coble |first=Sarah |date=17 January 2022 |title=Accellion Reaches $8.1m Data Breach Settlement |url=https://www.infosecurity-magazine.com/news/accellion-reaches-81m-data-breach/ |url-status=live |access-date=26 March 2026 |website=Infosecurity Magazine}}</ref><ref>{{Cite web |last=Davis |first=Jessica |date=14 January 2022 |title=Accellion claims no ‘guarantee’ of security in $8.1M breach settlement |url=https://www.scworld.com/analysis/accellion-reaches-8-1m-settlement-in-data-breach-lawsuit |url-status=live |access-date=27 March 2026 |website=ScWorld}}</ref>

==Consumer response==

~~https://www.classaction.org/news/accellion-facing-class-action-over-dec.-2020-file-transfer-service-data-breach~~

~~==Consumer response==~~

==References==

[[Category:Data breaches]]

[[Category:2020 incidents]]

@@ Line 6: / Line 6: @@
 |Type=Security
 |Description=A security breach affecting over 25 companies, medical institutions and schools, resulting in over 200 customers.
-}}Around Mid December in 2020, several hacker group going by the names FIN11, UNC2546, and CLOP, infiltrated [[wikipedia:Kiteworks|Accellion]] systems using [[wikipedia:SQL_injection|SQL injection,]] affecting organizations delving to various aspects of education, medicine, and finance, leaking over 200 customers and employees personal information.<ref name=":0">{{Cite web |last=Burgess |first=Monica |date=31 October 2025 |title=Accellion Data Breach |url=https://www.huntress.com/threat-library/data-breach/accellion-data-breach |url-status=live |access-date=25 March 2026 |website=Huntress}}</ref> This later turn into a lawsuit that reached a $8.1 million settlement.
+}}Around Mid December in 2020, several hacker group going by the names FIN11, UNC2546, and CLOP, infiltrated [[wikipedia:Kiteworks|Accellion]] systems using [[wikipedia:SQL_injection|SQL injection,]] affecting organizations delving to various aspects of education, medicine, and finance, leaking over 9 million customers and employees personal information.<ref name=":0">{{Cite web |last=Burgess |first=Monica |date=31 October 2025 |title=Accellion Data Breach |url=https://www.huntress.com/threat-library/data-breach/accellion-data-breach |url-status=live |access-date=25 March 2026 |website=Huntress}}</ref> This later turn into a lawsuit that reached a $8.1 million settlement on 20 January 2022.
 ==Background==
@@ Line 23: / Line 23: @@
 In 11 February 2021, Singtel released a statement announcing a investigation in collaborations with security experts and Cyber Security Agency of Singapore and made plans to cease operation of Accellion systems.<ref>{{Cite web |date=11 February 2021 |title=Media Statement relating to Accellion’s FTA Security Incident |url=https://www.singtel.com/about-us/media-centre/news-releases/media-statement-relating-to-accellion-fta-security-incident |url-status=live |access-date=27 March 2026 |website=Singtel}}</ref> On 17 February, Singtel released another statement detailing the results of their investigation, concluding that around 129,000 customers name, date of birth, mobile number, and home address was leaked, along with employees and staff financial information. The company highlighted plans to contact affected customers, and issuing an apology.<ref>{{Cite web |date=17 February 2021 |title=Singtel addresses data breach, moves to support affected stakeholders |url=https://www.singtel.com/about-us/media-centre/news-releases/singtel-addresses-data-breach-moves-to-support-affected-stakeholders |url-status=live |archive-url=https://web.archive.org/web/20260116181632mp_/https://www.singtel.com/about-us/media-centre/news-releases/singtel-addresses-data-breach-moves-to-support-affected-stakeholders |archive-date=16 January 2026 |access-date=26 March 2026 |website=Singtel}}</ref>  <blockquote>''"While this data theft was committed by unknown parties, I’m very sorry this has happened to our customers and apologise unreservedly to everyone impacted. Data privacy is paramount, we have disappointed our stakeholders and not met the standards we have set for ourselves"''</blockquote>
-===Kroger===
+===[[Kroger]]===
 On 23 January, [[Kroger]] was notified of the vulnerability after being informed by Accellion, resulting in the company conducting an investigation. Around February, Kroger issued a statement that sought discontinuation of Accellion systems as well as mention 1% of customers had pharmacy records, money services being affected in the attack. Additionally, it highlighted plans to inform affected consumers.<ref>{{Cite web |date=25 March 2026 |title=Information About the Accellion Incident |url=https://www.kroger.com/i/accellion-incident |url-status=dead |archive-url=https://web.archive.org/web/20210219235325/https://www.kroger.com/i/accellion-incident |archive-date=19 February 2021 |access-date=25 March 2026 |website=Kroger}}</ref>
@@ Line 74: / Line 74: @@
 The company provided little information regarding the attack, with only responding in a statement made to the Wall Street Journal that it was affected by the attack. Allegedly, there was plan to arrange an agreement between CLOP, however the company went silent, resulting in releasing information about  Jones Day clients. The hacker organization CLOP responded to the company's silence;<ref>{{Cite web |date=16 February 2021 |title=Jones Day disputes claimed breach; points to hacked vendor; hacker points back to them (UPDATE2) |url=https://databreaches.net/2021/02/16/jones-day-disputes-claimed-breach-points-to-hacked-vendor-hacker-points-back-to-them/ |url-status=live |access-date=29 March 2026 |website=DataBreaches.net}}</ref><ref>{{Cite web |last=Koebler |first=Jason |last2=Cox |first2=Joseph |last3=Bicchierai |first3=Lorenzo |date=16 February 2021 |title=Hacker Leaks Files from Jones Day Law Firm, Which Worked on Trump Election Challenges |url=https://www.vice.com/en/article/hacker-leaks-files-from-jones-day-law-firm-which-represented-trump-in-election-challenges/ |url-status=live |access-date=29 March 2026 |website=Vice}}</ref><ref>{{Cite web |date=13 February 2021 |title=Threat actors claim to have stolen Jones Day files; law firm remains quiet |url=https://databreaches.net/2021/02/13/threat-actors-claim-to-have-stolen-jones-day-files-law-firm-remains-quiet/ |url-status=live |access-date=29 March 2026 |website=DataBreaches.net}}</ref><blockquote>''" we hacked their server where the Accellion was and took the data from there, we spammed all over the company and all over the contact sheet they repeatedly entered the chat and were silent"''</blockquote>
-=== CalViva Health ===
+===CalViva Health===
 The company sent an email to affected customers on 24 March after being informed by Accellion on 25 January. It lists customers Addresses, date of birth, insurance ID Number,  and health information were compromised. The company announced discontinuation of Accellion services and gave affected customers 1 year IDX membership.<ref>{{Cite web |date=24 March 2021 |title=Notice of Data Breach |url=https://oag.ca.gov/system/files/CalViva%20-%20%20Accellion%20Breach%20Notice%20Letter.pdf |url-status=live |access-date=29 March 2026 |website=oag.ca.gov}}</ref>
 ==Lawsuit==
-{{Ph-I-L}}<ref>{{Cite web |last=Coble |first=Sarah |date=17 January 2022 |title=Accellion Reaches $8.1m Data Breach Settlement |url=https://www.infosecurity-magazine.com/news/accellion-reaches-81m-data-breach/ |url-status=live |access-date=26 March 2026 |website=Infosecurity Magazine}}</ref> https://www.scworld.com/analysis/accellion-reaches-8-1m-settlement-in-data-breach-lawsuit
+On 18 February 2021, a lawsuit was filed against Accellion for failure to secure personal information of its customers, alleging it resulting in the plaintiffs facing years of ''"constant surveillance of their financial and personal records, monitoring, and loss of rights".''<ref>{{Cite web |last=Rizzi |first=Corrado |date=19 February 2021 |title=Accellion Facing Class Action Over Dec. 2020 File Transfer Service Data Breach [UPDATE] |url=https://www.classaction.org/news/accellion-facing-class-action-over-dec.-2020-file-transfer-service-data-breach |url-status=live |access-date=27 March 2026 |website=ClassAction}}</ref><ref>{{Cite web |date=29 March 2026 |title=Zebelman v. Accellion, Inc. |url=https://dockets.justia.com/docket/california/candce/5:2021cv01203/373802 |url-status=live |access-date=29 March 2026 |website=Justia U.S Law}}</ref> The case reached a $8.1 million settlement on 20 January 2022, requiring Accellion give 2 years of credit monitoring and insurance services and reimburse up to $10,000  or receive payment of $15 or $50 to affected individuals.<ref>{{Cite web |last=Coble |first=Sarah |date=17 January 2022 |title=Accellion Reaches $8.1m Data Breach Settlement |url=https://www.infosecurity-magazine.com/news/accellion-reaches-81m-data-breach/ |url-status=live |access-date=26 March 2026 |website=Infosecurity Magazine}}</ref><ref>{{Cite web |last=Davis |first=Jessica |date=14 January 2022 |title=Accellion claims no ‘guarantee’ of security in $8.1M breach settlement |url=https://www.scworld.com/analysis/accellion-reaches-8-1m-settlement-in-data-breach-lawsuit |url-status=live |access-date=27 March 2026 |website=ScWorld}}</ref>
+==Consumer response==
-https://www.classaction.org/news/accellion-facing-class-action-over-dec.-2020-file-transfer-service-data-breach
-==Consumer response==
 {{Ph-I-ConR}}
 ==References==
 {{reflist}}
 [[Category:Data breaches]]
 [[Category:2020 incidents]]