Accellion’s data breach left clients in tough position: pay extortion to criminals, or have their data dumped
A breach involving Accellion‘s older file transfer application has left a number of its customers in the unenviable position of not only having a data breach to deal with, but with the added threat that their data and their clients’ data will be dumped by threat actors if they do not pay extortion demands. At least some of them have decided not to give in to extortion demands.
The Accellion breach was first revealed by the California cloud solutions firm in January, who described it as a 0day. At the time, Accellion reported that a vulnerability had been detected in mid-December and patched within 72 hours, and that the situation impacted maybe 50 clients. All impacted clients were notified on December 23, the firm claimed.
In early February, however, Accellion updated their statement to acknowledge that they had subsequently discovered other vulnerabilities as persistent attackers kept attacking them into January.
As Accellion’s impacted clients started coming forward, they told a slightly different story about when Accellion first notified them. The University of Colorado, state of Washington, ASIC, Goodwin Procter law firm, SingTel, and the Royal Bank of New Zealand were reportedly all impacted.
And then things took an even darker turn.
On February 13, DataBreaches.net broke the story that Jones Day law firm had been attacked and their data was being dumped on the dark web by CLOP threat actors, who claimed that the law firm had not responded to ransom demands.
Although they never did respond to this site’s inquiries, Jones Day subsequently informed WSJ that they had been informed about the Accellion breach. They insisted that there was no breach of their system, and that the breach was the vendor’s. CLOP responded that it was Jones Day it had attacked, not Accellion. From this site’s investigation, it seemed that Accellion’s standalone system may have been attacked. Logs that were dumped showed that JonesDay had been using a version of Accellion’s FTA that was vulnerable.
With one Accellion client facing an extortion attempt, could the others be far behind? It turns out they weren’t.
By last night, this site could find data dumps by CLOP threat actors for a number of Accellion clients in addition to Jones Day. Not all of the following have issued statements or press releases confirming that their data had been stolen:
- SingTel had previously reported that the breach impacted 129,000 people, and a number of their clients and employees. They received a ransom demand.
- American Bureau of Shipping (Eagle.org)
- Bombardier (confirmed 2/23/2021)
Other known victims have not (yet?) shown up on the dark web leak site. There has been some media coverage or statements by these entities, but so far, there has been no report that they received ransom demands and as of this morning, they do not appear on CLOP’s leak site.
- Royal Bank of New Zealand
- Allens law firm in Australia
- Goodwin Procter law firm
- The Australian Securities and Investments Commission (ASIC)
- Washington State
- University of Colorado
- QIMR Berghofer
- Kroger Health Services and Money Services (added 2/19/2021)
- Transport for New South Wales (added 2/23/3021)
Accellion claimed to have a number of big law firms as clients. DataBreaches.net is not listing them, but we continue to monitor news for statements about this incident.
This post will be updated as conditions change. There are other companies listed on CLOP’s leak site, but it is not known if they are connected to this incident or unrelated incidents.
In this case, victims’ files do not appear to have been encrypted, and this appears to be a reversion to the older model of hacking, exfiltrating a copy of data, and then attempting to extort the victim so that data are not dumped or sold.
Accellion has not updated its original statement in terms of the number of its clients impacted. It is not known if there are still 50 clients, or if the number is significantly more after attacks in January. In any event, this turns out to be a very large and significant breach. And if so many entities are showing up on CLOP’s leak site, does that mean that more and more victims are refusing to pay extortion? If so, that could indicate a positive development.