The ongoing impacts of the Accellion Breach from December 2020 continue to be felt, as more victims make themselves known, months since the attack was initially reported. In recent weeks, more victims have been uncovered through a series of notifications and investigations, with more expected to follow.
About the Accellion Breach
Accellion’s File Transfer Appliance (FTA) file sharing service was compromised due to 4 zero-day vulnerabilities, leading to a data breach affecting roughly 100 clients of the company. The attackers placed a DEWMODE webshell on the servers that allowed them to take files from the servers.
13 organizations across five countries have suffered their own data breaches as a result of Accellion’s FTA breach, with the data stolen then appearing on websites that serve as a link between the attacks, the website’s operators, and the Clop ransomware gang.
The growing impact of the breach
The zero-day vulnerabilities were exploited in mid-December, allowing the attacks to overtake the FTA. They used this access to send malicious updates to FTA customers. Accellion quickly released patches to close the vulnerabilities but it was too late. By April 30 2021, Accellion FTA, which had been in operation for 20 years, was retired.
Of the 13 organizations, including Bombardier Inc. and Kroger Co., some of the victims (customers of FTA) also had their own clients affected by them. One of the latest victims that have emerged most recently is Guidehouse.
Guidehouse and Qualys latest firms caught up in the Accellion breach
In July 2021, Guidehouse, a consulting firm and managed service provider, was caught up in the breach when it found that its customer, Morgan Stanley, published a data breach disclosure letter. The bank was informed of the breach by Guidehouse on May 20 and then sent the letter to the New Hampshire Attorney General on July 2.
As a result of the breach into Morgan Stanley’s systems, it is estimated that 108 New Hampshire residents were also impacted. Since then, the bank has taken steps to mitigate the damage and investigate the potential of further impacts on their own customers.
Earlier, in March of this year, Qualys was another high-profile discovery of more victims of the Accellion FTA breach. This security services supplier saw some of its own customers’ data leak to the dark web operated by the Clop ransomware group.
Later in the same month, Flagstar Bank also confirmed with its customers that their data had been affected by the Accellion FTA breach. While customer data was confirmed to have been impacted, operations were not ceased.
As a result, many customers were already moving away from Accellion’s FTA services before they were formally closed. Many others have been working with IT support teams to ensure that they close any potential breaches in their own system.
Mounting pressure on Accellion
Since the first announcement of the breach, much note has been made of the lengthy process of incident response investigations and notifications from Accellion, some taking place months later. It is likely we will continue to see news of further impacts down the line, too, so past customers of Accellion FTA should be prepared.