LOGO

Accellion Data Breach: Latest Updates & Impact

July 8, 2021
Topics:accellionarkansasBankbusiness softwarecaliforniacoloradocomputer securitycomputingdata breachhealthcareInformation technologyinvestment bankingkrogerlawmorgan stanleyqualysSecuritysecuritysecurity breachessingtelSynopsystransportUniversity of California
Accellion Data Breach: Latest Updates & Impact

Morgan Stanley Latest Victim of Accellion Hack

Morgan Stanley has been identified as a recent victim in the ongoing data breach affecting users of Accellion’s file-sharing product. This revelation surfaces over six months following the initial compromise of the 20-year-old software.

Data Breach Details

The investment banking firm, familiar with data security incidents, confirmed that personal information of its clients was compromised. This occurred through a breach of the Accellion FTA server utilized by their third-party vendor, Guidehouse.

A letter sent to affected individuals, initially reported by Bleeping Computer, details that threat actors successfully obtained an undetermined number of documents. These documents contained customer addresses and Social Security numbers.

While the stolen documents were encrypted, the attackers also managed to acquire the decryption key. However, Morgan Stanley asserts that the files did not include passwords for customer financial accounts.

Company Response

“Protecting client data is our highest priority, and we treat it with the utmost seriousness,” stated a Morgan Stanley spokesperson to TechCrunch. “We are working closely with Guidehouse and implementing measures to minimize potential risks to our clients.”

Widespread Impact of the Accellion Attack

Prior to the Morgan Stanley disclosure, a healthcare provider in Arkansas also reported a data breach stemming from the Accellion attack. Similarly, UC Berkeley had previously acknowledged a security incident related to the same vulnerability.

The continued emergence of new victims, even after six months, underscores Accellion’s ongoing struggle to fully address the situation.

Timeline of the Cyberattack

The initial cyberattack was detected on December 23rd. Accellion initially stated the vulnerability was patched within 72 hours. However, the company later admitted to discovering additional vulnerabilities.

Accellion’s final update in March claimed all known FTA vulnerabilities – exploited by the FIN11 and Clop ransomware groups – had been resolved.

Concerns Regarding Accellion’s Response

Incident responders have criticized Accellion’s handling of the incident, suggesting a slower-than-expected response in alerting customers to the potential danger.

The Reserve Bank of New Zealand, for example, expressed concerns about the timeliness of notifications received from Accellion. They relied on Accellion to inform them of any system vulnerabilities but received no warnings in December or January.

“In this instance, their notifications to us did not leave their system and therefore did not reach the Reserve Bank before the breach,” said RBNZ governor Adrian Orr. “We received no advance warning.”

Email Notification Failure

A KPMG International investigation revealed that Accellion’s email tool malfunctioned, preventing the delivery of vulnerability notifications. “Software updates to address the issue were released by the vendor in December 2020 shortly after discovering the vulnerability. However, the email tool used by the vendor failed to send the email notifications, and consequently, the Bank was not notified until January 6, 2021,” the KPMG assessment stated.

Furthermore, KPMG found no evidence that Accellion informed the bank about active exploitation of the vulnerability at other customer sites. This information, if provided promptly, could have significantly influenced the bank’s decision-making process.

Transition to Kiteworks

Accellion announced in March its plans to retire the 20-year-old FTA product in April, having spent three years transitioning clients to its new platform, Kiteworks. A May press release indicated that 75% of Accellion customers had migrated to Kiteworks, meaning 25% were still using the now-retired FTA product.

This, coupled with Accellion’s reduced involvement in the incident response, suggests the list of victims may continue to grow.

Growing List of Victims

The total number of organizations affected remains unclear, with estimates reaching around 300. Notable victims include Qualys, Bombardier, Shell, Singtel, the University of Colorado, the University of California, Transport for New South Wales, Office of the Washington State Auditor, Kroger, and Jones Day.

Importance of Thorough Patch Management

“Simply patching software and moving on isn’t the best approach when a patch is issued for software that has been actively exploited,” explained Tim Mackey, principal security strategist at the Synopsys Cybersecurity Research Center, to TechCrunch. “Patch management strategies should include reviews for indications of previous compromise, as the goal is to protect systems from compromise.”

Accellion declined to provide further comment.

#Accellion#data breach#cybersecurity#data security#Kitex#vulnerability

Related Posts

FTC Upholds Ban on Stalkerware Founder Scott Zuckerman

FTC Upholds Ban on Stalkerware Founder Scott Zuckerman

Google Details Chrome Security for Agentic Features

Google Details Chrome Security for Agentic Features

Petco Data Breach: SSNs, Driver's Licenses Exposed

Petco Data Breach: SSNs, Driver's Licenses Exposed

Petco Data Breach: Customer Data Exposed - What You Need to Know

Petco Data Breach: Customer Data Exposed - What You Need to Know

Intellexa Spyware: Direct Access to Government Espionage Victims

Intellexa Spyware: Direct Access to Government Espionage Victims

Smart Toilet Camera Encryption Flaws | Security Concerns

Smart Toilet Camera Encryption Flaws | Security Concerns