Consumer Rights Wiki

Accellion data breach

Revision as of 14:26, 28 March 2026 by SquidthePlummer (talk | contribs) (removing employee related incidents)

Article Status Notice: This Article is a stub

This article is underdeveloped, and needs additional work to meet the wiki's Content Guidelines and be in line with our Mission Statement for comprehensive coverage of consumer protection issues. Learn more ▼

Around Mid December in 2020, several hacker group going by the names FIN11, UNC2546, and CLOP, infiltrated Accellion systems using SQL injection, affecting over 25 companies and leaking over 200 customers and employees personal information.[1]

Background

A financially motivated hacker group going by FIN11 has conducted malware and ransomware attacks against financial, retail, and medical related organizations since 2016.[2] It shares close ties to CLOP, a hacker group that since 2016 has ran phishing campaigns and malware distributions[3], and UNC2546, an unknown hacker group that been shown to conduct malware attacks and SQL injection.[4][5]

Accellion is a file sharing service provider.

The Attack

Around Mid December, FIN11 targeted Accellion 20 year legacy File Transfer Appliance(FTA), deploying 2 zero-day-vulnerabilities that granted access to installation of a custom web shell named DEWMODE[6], allowing for SQL injection into Accellion systems. On 16 December, Accellion became aware of the vulnerability after a customer reported the vulnerability, and shorty after releasing a patch within 72 hours on 20 and 23 of December 2020.[7] On 12 January, the company released a statement announcing the attack and urging customers to update to their newely released communication platform kiteworks.[8] On 20 January, hackers conducted more attacks after finding new vulnerabilities that included 2 more zero-day-vulnerabilities[9], however after the vulnerability were noticed by Accellion customer service on 22 January, they were shortly patched three days later.[1][7]Around late January, victims started receiving ransom emails that threatens to publish the stolen data. If the victim didn't respond, they would receive several more warnings messages urging the victim to respond.[10] The company would implement another patch on 28 January that enhanced the security of the 23 December patch. On 01 February, Accellion released an statement detailing the attack and adding no new vulnerabilities were detect at the time.[11] A last patch was implemented on 01 March in collaboration with Mandiant (subsidiary to Google) that fixed two additional vulnerabilities.[9] Accellion would announce termination of its 20 year legacy File Transfer Appliance, giving customers till 30 April to make any changes to their licensing agreements.[12]

Hackers Ransom Demand Message
Hackers Ransom Demand Message
File:Hacker group last warning message.png
Hacker group last warning message

List of responses from affected organizations

After being informed of the attack, several companies decided to terminate their agreements with Accellion and reach out to potentially affected customers. [13] [14]

Singtel

In 11 February 2021, Singtel released a statement announcing a investigation in collaborations with security experts and Cyber Security Agency of Singapore and made plans to cease operation of Accellion systems.[15] On 17 February, Singtel released another statement detailing the results of their investigation, concluding that around 129,000 customers name, date of birth, mobile number, and home address was leaked, along with employees and staff financial information. The company highlighted plans to contact affected customers, and issuing an apology.[16]

"While this data theft was committed by unknown parties, I’m very sorry this has happened to our customers and apologise unreservedly to everyone impacted. Data privacy is paramount, we have disappointed our stakeholders and not met the standards we have set for ourselves"

Kroger

On 23 January, Kroger was notified of the vulnerability after being informed by Accellion, resulting in the company conducting an investigation. Around February, Kroger issued a statement that sought discontinuation of Accellion systems as well as mention 1% of customers had pharmacy records, money services being affected in the attack. Additionally, it highlighted plans to inform affected consumers.[17]

Qualys

Starting on 03 March till 02 April, Qualys made a series of statement and updates after being alerted about the attack around December 2020. In collaboration with Accellion, FireEye, and Mandiant, a investigation pursued that found and contacted customers with leaked online and real life names, email addresses, job titles, and office addresses. Additionally, it found no impact or effect on its systems.[18]

City of Toronto

On 22 January, the city was first alerted of the incident by unknown sources, however the city issued a response on April 2021.[19] When asked, a spokesperson responded by claiming "“It takes time to reach any sort of conclusion in view of the legacy system that was breached and the extent of investigation required." it was reported that around 35,000 citizens information was affected in the attack, however the city didn't receive a ransom email, leading to some speculation in the community of the meaning of the silence.[20][21]

CXS

On 02 May, CXS made a statement highlighting the incident only leaking current and past employees personal information. The company didn't provide much details surrounding the incident in regards to customers or specific type of information, only saying “To date, this incident has had no impact on business operations or our ability to serve our customers".[22][23]

Centene

This section is incomplete. This notice can be deleted once all the placeholder text has been replaced.

Trillium

The Company became aware of the attack on 25 January, and a month later released a statement, declaring customers address, date of birth, insurance ID number, and health information has been leaked and posted online. As compensation, the company gave 1 year credit monitoring and identity theft protection services to affected customers on 26 February.[24] The company discussed plans to move and remove all data from Accellion systems, review files and sharing data practices.[25]

University of Colorado

Around January, the University of Colorado became aware of the vulnerability, conducting various alerts to individuals and temporarly disabling the service untill 28 January. On 01 February, the university emailed 447 individuals alleged to be affected. Around 09 February, the University released a statement detailing the events of the attack and the comrpimisation of students and employees "identifiable information", medical data, and "study and research data".[26]

Morgan Stanley

On July

https://www.bleepingcomputer.com/news/security/morgan-stanley-reports-data-breach-after-vendor-accellion-hack/

https://securityaffairs.com/119865/data-breach/morgan-stanley-data-breach.html

https://arstechnica.com/gadgets/2021/07/morgan-stanley-discloses-data-breach-that-resulted-from-accellion-fta-hacks/

Standford University

University Of Miami

University Of California

QIMR Berghofer Medical Research Institute

HealthNet

Washington State

The Reserve Bank of New Zealand

Australian Securities and Investments Commission

Bombardier

Transport For NSW

Flagstar Bank

Trinity Health

University of Maryland

California Health & Wellness

Arizona Complete Health

Goodwin Procter

Jones Day

Harvard Business School

CalViva Health

Lawsuit

If applicable, add any information regarding litigation around the incident here.

Claims

Main claims of the suit.

Rebuttal

The response of the company or counterclaims.

Outcome

The outcome of the suit, if any.

Add your text below this box. Once this section is complete, delete this box by clicking on it and pressing backspace.

[27] https://www.scworld.com/analysis/accellion-reaches-8-1m-settlement-in-data-breach-lawsuit

https://www.classaction.org/news/accellion-facing-class-action-over-dec.-2020-file-transfer-service-data-breach

Consumer response

Summary and key issues of prevailing sentiment from the consumers and commentators that can be documented via articles, emails to support, reviews and forum posts.

Add your text below this box. Once this section is complete, delete this box by clicking on it and pressing backspace.


References

  1. 1.0 1.1 Burgess, Monica (31 October 2025). "Accellion Data Breach". Huntress. Retrieved 25 March 2026.{{cite web}}: CS1 maint: url-status (link)
  2. Stark, Genevieve; Moore, Andrew; Cannon, Vincent; Leary, Jacqueline; Fraser, Nalani; Goody, Kimberly (14 October 2020). "Threat Research FIN11: Widespread Email Campaigns as Precursor for Ransomware and Data Theft". Fire Eye. Archived from the original on 17 October 2020. Retrieved 26 March 2026.
  3. Brubaker, Nathan; Zafra, Daniel; Lunden, Keith; Proska, Ken; Hildebrandt, Corey (15 July 2020). "Financially Motivated Actors Are Expanding Access Into OT: Analysis of Kill Lists That Include OT Processes Used With Seven Malware Families". Fire Eye. Archived from the original on 16 July 2020. Retrieved 26 March 2026.
  4. Ropek, Lucas (23 February 2021). "What We Know About the Hackers Behind the Accellion Data Breach". Gizmodo. Retrieved 26 March 2026.{{cite web}}: CS1 maint: url-status (link)
  5. Stone, Jeff (22 February 2021). "FireEye IDs hacking group suspected in Accellion, Kroger breach". Cyberscoop. Retrieved 26 March 2026.{{cite web}}: CS1 maint: url-status (link)
  6. "Accellion Compromise Impacts Many Targets Including Healthcare Organizations" (PDF). hhs.gov. 23 February 2021. Retrieved 26 March 2026.{{cite web}}: CS1 maint: url-status (link)
  7. 7.0 7.1 Neill, Rob (3 March 2021). "Accellion hack: timeline clarifies when and how customers were notified". ARN. Retrieved 26 March 2026.{{cite web}}: CS1 maint: url-status (link)
  8. "Press Release Accellion Responds to Recent FTA Security Incident". Kiteworks. 12 January 2021. Archived from the original on 18 January 2026. Retrieved 26 March 2026.
  9. 9.0 9.1 "ACCELLION, INC. FILE TRANSFER APPLIANCE (FTA) SECURITY ASSESSMENT" (PDF). Kiteworks. 1 March 2021. Archived (PDF) from the original on 28 November 2021. Retrieved 27 March 2026.
  10. Ilascu, Ionut (22 February 2021). "Global Accellion data breaches linked to Clop ransomware gang". BleepingComputer. Retrieved 27 March 2026.{{cite web}}: CS1 maint: url-status (link)
  11. "Press Release Accellion Provides Update to Recent FTA Security Incident". Accellion. 1 February 2021. Archived from the original on 2 February 2021. Retrieved 26 March 2026.
  12. "Accellion" (PDF). Kiteworks. 27 March 2026. Archived (PDF) from the original on 25 January 2022. Retrieved 27 March 2026.
  13. Panettieri, Joe (14 January 2022). "Accellion Vulnerabilities, Cyberattacks, Victims, Lawsuits: Customer List and Status Updates". MSSP Alert. Retrieved 26 March 2026.{{cite web}}: CS1 maint: url-status (link)
  14. Firch, Jason (14 May 2024). "Accellion Data Breach: What Happened & Who Was Impacted?". Purplesec. Retrieved 26 March 2026.{{cite web}}: CS1 maint: url-status (link)
  15. "Media Statement relating to Accellion's FTA Security Incident". Singtel. 11 February 2021. Retrieved 27 March 2026.{{cite web}}: CS1 maint: url-status (link)
  16. "Singtel addresses data breach, moves to support affected stakeholders". Singtel. 17 February 2021. Archived from the original on 16 January 2026. Retrieved 26 March 2026.
  17. "Information About the Accellion Incident". Kroger. 25 March 2026. Archived from the original on 19 February 2021. Retrieved 25 March 2026.
  18. Carr, Ben (3 March 2021). "Qualys Update on Accellion FTA Security Incident". Qualys. Archived from the original on 13 July 2025. Retrieved 26 March 2026.
  19. "Toronto hit by 'potential cyber breach' from Accellion file transfer software". Databreaches.net. 30 April 2021. Retrieved 27 March 2026.{{cite web}}: CS1 maint: url-status (link)
  20. Woodward, Jon (30 December 2021). "Toronto feared 35,000 citizens' data would be made public after cyberattack: documents". CTV News. Retrieved 26 March 2026.{{cite web}}: CS1 maint: url-status (link)
  21. Adriano, Lyle (3 May 2021). "Toronto reveals potential cyber breach". Insurance Business. Retrieved 26 March 2026.{{cite web}}: CS1 maint: url-status (link)
  22. "CSX probes 'security incident' as hackers leak data". Freightwaves. 2 March 2021. Retrieved 27 March 2026.{{cite web}}: CS1 maint: url-status (link)
  23. Lester, David (3 March 2021). "CSX suffers data exposure by hackers". RT&S. Retrieved 26 March 2026.{{cite web}}: CS1 maint: url-status (link)
  24. "Trillium Community Health Plan members impacted by Accellion breach". databreaches.net. 7 March 2021. Retrieved 27 March 2026.{{cite web}}: CS1 maint: url-status (link)
  25. "Trillium vendor reports a Data Security Incident". Trillium. 25 February 2021. Archived from the original on 14 February 2026. Retrieved 27 March 2026.
  26. "About the Accellion Cyberattack". University of Colorado. 9 February 2021. Archived from the original on 9 February 2021. Retrieved 27 March 2026.
  27. Coble, Sarah (17 January 2022). "Accellion Reaches $8.1m Data Breach Settlement". Infosecurity Magazine. Retrieved 26 March 2026.{{cite web}}: CS1 maint: url-status (link)
Retrieved from "https://consumerrights.wiki/index.php?title=Accellion_data_breach&oldid=48111"