The SolarWinds attack, discovered in December 2020, was considered one of the biggest hacks of the decade. However, little did we know that it would have tough competition, just weeks after the SolarWinds hack. We are talking about the Accellion Hack, which was discovered around December 23, 2020.
Initially, the Accellion Hack was limited to only a few organizations. However, as the dust settled, critical organizations like the Office of the Washington State Auditor (SAO), the Australian Securities and Investment Commission (ASIC), and New Zealand’s Reserve Bank came forward and notified about their respective breaches. Joining this list is the Australian medical research institute, QIMR Berghofer. In a media release issued by the institute, QMIR Berghofer said that investigations are being carried out for a “likely data breach through their third-party file-sharing system Accellion.”
Effects of Accellion Hack on QIMR Berghofer
The medical research institute, which uses Accellion’s legacy FTP product for its clinical trials file sharing, first received a notification on January 4, 2021, to immediately apply a security patch. The institute obliged and immediately took the software offline to apply the patch. Post the patch application, no issues were reported. However, Accellion sent a second notification to QIMR Berghofer on February 2, 2021, informing the institute that it was “likely” affected by an indirect data breach that was targeted towards Accellion’s FTP product. The threat actors had exploited a zero-day vulnerability that existed in Accellion’s system for a long time.
On receiving the second notification, QIMR Berghofer’s IT team immediately took down the software and launched an internal investigation and cyber forensic analysis. Their preliminary investigation confirmed that about 4% (equivalent to 620MB) of the institute’s clinical trials’ data in Accellion was supposedly accessed by an unknown entity through the file-sharing system on December 25, 2020.
The institute was quick to confirm that only nine of QIMR Berghofer’s employees used the Accellion system for their anti-malaria drugs research and that the records did not involve any personally identifiable information (PII). As per the strict regulations of the clinical trials, the participants involved in these trials are given codes for reference instead of using their actual names — which act as a good practice in case of a data breach. Apart from these codes, the potentially breached data includes the following de-identified information:
- Initials of the participant’s name
- Date of birth
- Ethnic details of clinical trial participants
- Participant codes
- De-identified medical histories of the participants along with their codes
Apart from this, nearly 30 of the institute’s current and former research staff CVs were also stored in the Accellion system and could have potentially been accessed, informed QIMR Berghofer’s Director and CEO, Professor Fabienne Mackay.
Mackay apologized on the institute’s behalf and said, “We don’t believe that any of the information in Accellion could be used to identify any of these participants, but nonetheless, I want to apologize sincerely that some of their de-identified information could potentially have been accessed.”
He added, “Many of these files must be kept for 15 years. However, they did not need to be stored in Accellion. We are examining our protocols for using third-party file-sharing services and will put procedures in place to try to ensure that files are regularly reviewed and saved in the most secure location.”
QIMR Berghofer is a member of the Australian Cyber Security Centre (ACSC) and, thus, has notified ACSC as well as the Office of the Australian Information Commissioner of the potential data breach.
Mackay also informed that since Accellion’s FTP product was a legacy solution, it was scheduled to be decommissioned in the coming month, but calamity struck before that. This reiterates the words of experts who have been promoting the importance of upgrading from legacy products to the latest solutions like Accellion’s very own Kiteworks. The new-age products and services have ingrained cybersecurity architecture from the bottom-up, which helps organizations to defend against such adversaries.
It’s about time you upgrade your security products!