Accellion data breach
Around Mid December in 2020, several hacker group going by the names FIN11, UNC2546, and CLOP, infiltrated Accellion systems using SQL injection, affecting over 25 companies and leaking around 200 customers personal information.[1]
Background
A financially motivated hacker group going by FIN11 has conducted malware and ransomware attacks against financial, retail, and medical related organizations since 2016.[2] It shares close ties to CLOP, a hacker group that since 2016 has ran phishing campaigns and malware distributions[3], and UNC2546, an unknown hacker group that been shown to conduct malware attacks and SQL injection.[4][5]
Accellion is a file sharing service provider
The Attack
Around Mid December, FIN11 targeted Accellion 20 year old legacy File Transfer Appliance(FTA), deploying 4 zero-day-vulnerabilities that granted access to installation of a custom web shell named DEWMODE[6], allowing for SQL injection into Accellion systems. On 16 December, Accellion became aware of the vulnerability after a customer reported the vulnerability, and shorty after releasing a patch within 72 hours on 20 December.[7] On 20 January 2021, hackers conducted more attacks after finding new vulnerabilities, however after the vulnerability were noticed by Accellion on 22 January, they were shortly patched three days later. [1][7]
List of responses
After being informed of the attack, several companies decided to terminate their agreements with Accellion and reach out to potentially affected customers.
Singtel
Kroger
Qualys
City of Toronto
CXS
Centene
Trillium
Shell
University of Colorado
Morgan Stanley
https://techcrunch.com/2021/07/08/the-accellion-data-breach-continues-to-get-messier/
Lawsuit
[10] https://www.scworld.com/analysis/accellion-reaches-8-1m-settlement-in-data-breach-lawsuit
Consumer response
References
- ↑ 1.0 1.1 Burgess, Monica (31 October 2025). "Accellion Data Breach". Huntress. Retrieved 25 March 2026.
{{cite web}}: CS1 maint: url-status (link) - ↑ Stark, Genevieve; Moore, Andrew; Cannon, Vincent; Leary, Jacqueline; Fraser, Nalani; Goody, Kimberly (14 October 2020). "Threat Research FIN11: Widespread Email Campaigns as Precursor for Ransomware and Data Theft". Fire Eye. Archived from the original on 17 October 2020. Retrieved 26 March 2026.
- ↑ Brubaker, Nathan; Zafra, Daniel; Lunden, Keith; Proska, Ken; Hildebrandt, Corey (15 July 2020). "Financially Motivated Actors Are Expanding Access Into OT: Analysis of Kill Lists That Include OT Processes Used With Seven Malware Families". Fire Eye. Archived from the original on 16 July 2020. Retrieved 26 March 2026.
- ↑ Ropek, Lucas (23 February 2021). "What We Know About the Hackers Behind the Accellion Data Breach". Gizmodo. Retrieved 26 March 2026.
{{cite web}}: CS1 maint: url-status (link) - ↑ Stone, Jeff (22 February 2021). "FireEye IDs hacking group suspected in Accellion, Kroger breach". Cyberscoop. Retrieved 26 March 2026.
{{cite web}}: CS1 maint: url-status (link) - ↑ "Accellion Compromise Impacts Many Targets Including Healthcare Organizations" (PDF). hhs.gov. 23 February 2021. Retrieved 26 March 2026.
{{cite web}}: CS1 maint: url-status (link) - ↑ 7.0 7.1 Neill, Rob (3 March 2021). "Accellion hack: timeline clarifies when and how customers were notified". ARN. Retrieved 26 March 2026.
{{cite web}}: CS1 maint: url-status (link) - ↑ Panettieri, Joe (14 January 2022). "Accellion Vulnerabilities, Cyberattacks, Victims, Lawsuits: Customer List and Status Updates". MSSP Alert. Retrieved 26 March 2026.
{{cite web}}: CS1 maint: url-status (link) - ↑ Firch, Jason (14 May 2024). "Accellion Data Breach: What Happened & Who Was Impacted?". Purplesec. Retrieved 26 March 2026.
{{cite web}}: CS1 maint: url-status (link) - ↑ Coble, Sarah (17 January 2022). "Accellion Reaches $8.1m Data Breach Settlement". Infosecurity Magazine. Retrieved 26 March 2026.
{{cite web}}: CS1 maint: url-status (link)