Data breaches have a tendency to grow past initially reported figures. Organizations don’t always know how screwed they are right away, investigations take time, and new victims are discovered amidst the wreckage. This is certainly proving to be the case with Accellion, the Palo Alto, Calif.-based cloud provider that experienced what appears to be a fairly catastrophic cyberattack in December.
To sum up: On Dec. 23, it was discovered that a bad actor had hacked its way into Accellion’s client data via a zero-day vulnerability in its secure file transfer application. FTA is a tired, decades-old product first launched 20 years ago that the firm was planning to officially retire in April. The application, which was specifically designed to handle moving large amounts of data, potentially allowed the actor to access troves of information about dozens of companies. It is unclear whether the data was actually stolen—though things certainly don’t look good at the moment.
While the company initially claimed the vulnerability was patched within 72 hours, it later had to explain that new vulnerabilities were discovered—and that attacks were ongoing throughout the latter part of December and the first part of January. The last public update provided by the company on Feb. 1 said it had “patched all known FTA vulnerabilities exploited by the attackers and has added new monitoring and alerting capabilities to flag anomalies associated with these attack vectors.”
This has all led to the natural question: Just how big was this data breach?
Since December, a steady trickle of companies, universities, banks and other various entities have begun to disclose their involvement in the breach. So far, it’s unclear just how many of Accellion’s clients were affected—or what the long-term effects will be. The firm, which says it serves some 3,000 global corporations and government agencies worldwide, claimed in January that “less than 50 companies” had been affected by the incident. This number seems to have gone up, however. When asked to give a full list of the affected clients Thursday, an Accellion representative said, via email, that the company was still looking into it:
“Accellion is conducting a full assessment of the FTA data security incident with an industry-leading cybersecurity forensics firm. We will share more information once this assessment is complete. For their protection, we do not comment on specific customers. We are working with all impacted FTA clients to understand and mitigate any impact of this incident, and to migrate them to our modern kiteworks content firewall platform as soon as possible.”
There seems to be a new number floating around that is substantially bigger than 50, however: 300. That is the approximate number of clients recently published by the University of Colorado, which this week claimed it was “one of some 300 Accellion customers that were affected by the attack.” When reached by email Thursday, an Accellion representative did not comment on the number. But a representative from the university said that the figure had come from Accellion.
Singtel, a Singapore-based telecom conglomerate, also disclosed Thursday that it was among the potentially affected. The firm, which is one of several large telecoms of its kind in Singapore, said that it had used Accellion as a “standalone system that we use to share information internally as well as with external stakeholders” but that some customer data may have been compromised. “We are currently conducting an impact assessment with the utmost urgency to ascertain the nature and extent of data that has been potentially accessed. Customer information may have been compromised,” the company said.
QIMR Berghofer Medical Research Institute, a medical research facility in Australia involved in tests for anti-malarial drugs, said Thursday that “about 4%, or 620MB, of the QIMR Berghofer data in Accellion appears to have been accessed through the file-sharing system” on Dec. 25. The institute went on to state that some de-identified data that had been related to anti-malarial trials was stored in the Accellion FTA.
The Australian Securities and Investments Commission (ASIC), the Reserve Bank of New Zealand (RBNZ), and Harvard Business School, among others, have also disclosed breaches. One victim, the auditor’s office for the state of Washington, was in the midst of conducting a statewide review of unemployment applications from 2020—ironically, to track cyber fraudsters that had previously exploited the system. The resultant data breach means a potential compromise of some 1.6 million Washington residents’ sensitive information, including social security numbers, bank account and routing information, names, birthdays, and more.
Time will tell just how many organizations were touched by the breach—and what the actual extent of the damage is. For now, there are a lot of unknowns.
There is certainly a lesson here about not letting your organization rely on end-of-life legacy products. Accellion had been in the midst of trying to push clients towards adoption of its newest platform, Kiteworks, which the company says is “built on an entirely different code base, using state-of-the-art security architecture, and a segregated, secure development process.” The firm’s chief information security officer recently commented that Accellion had “encouraged all FTA customers to migrate to Kiteworks for the last three years.” After the recent water-poisoning hack in Oldsmar, Fla. (which authorities say may have been accessed via an outdated Windows 7 program), the lesson should be to take the advice of a company when they suggest you to transition to their most updated product.