Breach, Content

Accellion Vulnerabilities, Cyberattacks, Victims, Lawsuits: Customer List and Status Updates

The Accellion cyberattack impacted partners and customers worldwide. Here's a regularly updated list of Accellion supply chain victims, what happened, and associated lawsuits against the software company.

Updated - Breach Lawsuit Payment: Accellion has reached an $8.1 million deal with a proposed nationwide class to end litigation over a breach of its legacy file transfer product, Reuters reported on January 13, 2022.

Accellion Breach Overview

Accellion specializes in secure file sharing and collaboration software. The company develops an enterprise content firewall leveraged by more than 3,000 global corporations, government organizations, hospitals and universities. Key investors include Baring Private Equity Asia and Bregal Sagemount.

Accellion Vulnerabilities Discovered: In December 2020, the Accellion File Transfer Appliance product suffered a zero-day exploit. Acellion patched multiple vulnerabilities between December 2020 and January 2021. For details, look for CVE (Common Vulnerabilities and Exposures) codes 2021-27101, 2021-27102, 2021-27103 and 2021-27104.

Hacker Group that Targeted Accellion: Researchers have identified a set of threat actors (dubbed UNC2546 and UNC2582) with connections to the FIN11 and the Clop ransomware gang as the cybercriminal group behind the Accellion attack. Source: Threatpost, February 22, 2021.

Resulting Lawsuits: Accellion must separately face a series of lawsuits over the cyberattack after a federal judicial panel rejected consolidation. Source: Bloomberg Law, June 8, 2021.

Accellion Cyberattack Victims List: Updated Regularly

Hackers leveraged the vulnerabilities to attack multiple Accellion partners and customers. Here's a regularly updated victims list...

Australian Securities and Investments Commission: One of its servers was breached in relation to Accellion software used by the agency to transfer files and attachments. Source: ZDnet, January 27, 2021.

Australia's Transport for New South Wales: Details were disclosed in February 2021. Source: ZDnet, February 23, 2021.

Bombardier: The jet maker and Canadian aviation company had some of its data lifted and posted on the dark web. Source: ComputerWeekly, February 24, 2021.

Flagstar Bank: The bank told customers that hackers gained unauthorized access to their names, Social Security numbers and home addresses and it is giving them two free years of identity-monitoring services as compensation. Source: Detroit Free Press, March 24, 2021.

Jones Day Law Firm: Hackers have stolen and leaked files belonging to the Jones Day law firm, one of the largest law firms in the world. The firm famously and controversially worked on some of Donald Trump’s immediate challenges to the 2020 election results. Source: Vice, February 16, 2021.

Kroger: The Kroger Family of Companies, a food store chain, confirmed that it was impacted by the data security incident. Source: Kroger, 2021.

Guidehouse: In a letter to some customers, financial services giant Morgan Stanley disclosed a data breach related to partner Guidehouse and the Accellion supply chain cyberattack. Source: MSSP Alert, July 9, 2021.

Morgan Stanley: In a letter to some customers, financial services giant Morgan Stanley disclosed a data breach related to partner Guidehouse and the Accellion supply chain cyberattack. Source: MSSP Alert, July 9, 2021.

Qualys: Based on an investigation with Accellion and FireEye Mandiant, Qualys remains confident that "we have a complete list of customers who had files on the Accellion FTA server at the time of the incident, and we have contacted them." Source: Qualys, April 2, 2021.

Reserve Bank of New Zealand: Te Pūtea Matua, also known as The Reserve Bank of New Zealand disclosed a breach. Source: ZDnet, January 12, 2021.

Royal Dutch Shell: The energy giant "has been impacted by a data security incident involving Accellion’s File Transfer Appliance. Shell uses this appliance to securely transfer large data files. The ongoing investigation has shown that an unauthorized party gained access to various files during a limited window of time. Source: Royal Dutch Shell, March 16, 2021.

Singtel: The telecom giant, parent of MSSP Trustwavesuspended all use of Accellion's system after suffering an attack. Core operations were not affected. However, the hackers managed to steal data involving:

  • Personally identifiable information (PIM) spanning 129,000 customers spanning a combination of names, date of birth, mobile phone and address.
  • Bank account details of 28 former Singtel employees.
  • Credit card details of 45 staff of a corporate customer with Singtel  mobile lines.
  • Some information from 23 enterprises.
  • Source: Singtel, February 11 and February 17, 2021.

Stanford University: Hackers have leaked stolen data belonging to members of the Stanford community — including Social Security numbers, addresses, emails, family members and financial information — after obtaining the data from a compromised file transfer system used by Stanford Medicine. Source: The Stanford Daily, April 1, 2021.

Trinity Health: The Michigan-based healthcare provider disclosed that some of its data was lifted in the Accellion hack. The hacked files contained "certain protected health information, including a combination of demographic, clinical and financial information such as your name, address, email, date of birth, healthcare provider, dates and types of health care services, medical record number, immunization type, lab results, medications, payment, payer name, and claims information." The confidential information of a very small number of impacted individuals included a social security number or credit card number, the organization added. Source: Trinity Health, April 5, 2021.

University of California:

  • The university has learned that it, along with other universities, government agencies, and private companies throughout the country, was recently subject to the cybersecurity attack. The investigation is ongoing. Source: University of California, March 31, 2021.
  • In an updated statement, UC disclosed that certain UC data was accessed without authorization. The university identified on March 29, 2021 that some of this data was posted on the Internet. Source: University of California, May 10, 2021.

University of Colorado: Multiple updates...

  • CU believes personally identifiable information from students, employees and others may have been compromised. Source: University of Colorado, February 12, 2021.
  • University of Colorado officials said that the extent of the breach of Accellion’s file-transfer application on its community was far greater than initially reported, with more than 300,000 records, including some Social Security numbers, exposed in the incident. Source: EdScoop, April 12, 2021.

University of Maryland, Baltimore: Staff and students at the University of Maryland, Baltimore had their private information, such as passports, addresses and Social Security numbers, posted online following a ransomware attack in December. Source: Government Technology, April 2, 2021.

U.S. Department of Health and Human Services: The department's breach reporting tool shows over 1.3 million patients of Centene subsidiaries were impacted by the massive Accellion File Transfer Appliance vulnerability hack and subsequent data exfiltration. Source: Health IT Security, April 6, 2021.

U.S. Healthcare Organizations: At least seven healthcare organizations have confirmed they were affected in the nationwide data breach. The victims include:

Check this blog regularly for potential updates. Originally posted in February 2021. Updated regularly thereafter. 

Joe Panettieri

Joe Panettieri is co-founder & editorial director of MSSP Alert and ChannelE2E, the two leading news & analysis sites for managed service providers in the cybersecurity market.