Accellion, a provider of hosted file transfer services, recently agreed to pay $8.1 million to settle a class-action lawsuit related to a data breach in December 2020. The lawsuit, filed in a California Federal Court, claims that Accellion failed to protect the sensitive information of millions of users after threat actors exploited a vulnerability in Accellion’s file transfer appliance (FTA).
Based in California, Accellion is a private cloud solutions company providing software for third-party secure file transfers. The data breach occurred due to a bug in Accellion’s file-sharing software, used by several organizations globally.
The data breach affected many Accellion clients. It impacted millions of users’ sensitive data such as names, birthdates, Social Security numbers, banking details, medical and drivers’ license information. The lawsuit stated that Accellion failed to identify vulnerabilities in its FTA platform and implement necessary data security measures to secure client and user classified information.
One Bug – Multiple Attacks
Accellion detected a zero-day vulnerability in its FTA platform in December 2020 and released a patch to fix it. However, in February 2021, the company found four additional flaws in the platform. Several cybercriminal groups started exploiting the flaws to steal sensitive corporate data.
Accellion also issued a statement regarding the constant attacks that exploited its legacy FTA product. The company claimed that cybercriminal group UNC2546 is likely behind the hacks and data breaches. The threat group sent several extortion emails to the victims threatening to publish their sensitive data on their CL0P LEAKS site on the dark web.
The Bandwagon of Accellion Data Breaches
The ripples of Accellion’s flaw resulted in several data breach incidents, impacting the numerous companies that use Accellion file transfer services. Threat actors attacked several organizations globally by exploiting the Accellion vulnerability. Critical organizations like the Office of the Washington State Auditor (SAO), the Australian Securities and Investment Commission (ASIC), and New Zealand’s Reserve Bank suffered security breaches.
A recent victim of Accellion hacks is Morgan Stanley. The global financial services provider reported a data breach after unknown hackers pilfered private data of its customers by exploiting the bug in Accellion’s FTA server hosted by a third-party vendor.