The Accellion Data Breach – What We Know And What Can Be Learned From It
5/14/2021
Considered the biggest data breach of 2020, the Accellion data breach affected hundreds of high-profile companies across all industries, and compromised the sensitive of data millions of users, patients, and individuals. Months later, we are still seeing companies being affected.
In this blog, we look at what went wrong, who was affected, and what we can learn from the incident.
Who is Accellion?
Accellion is a California-based file-sharing company specializing in B2B file-sharing software and collaboration. The data breach affected the company’s File Transfer Appliance (FTA), a 20-year-old legacy product.
Where did the breach originate?
The first incident took place in December 2020. Accellion’s File Transfer Appliance was subject to what’s known as a zero-day exploit, a computer-software vulnerability that goes undetected and is easily be exploited by hackers. The SQL injection vulnerability allowed hackers to extract data before a patch was finally implemented toward the end of December. Three further vulnerabilities were patched in the following month.
Compromised data included sensitive and identifiable information such as social security numbers, names, addresses, financial information, academic transcripts, passport numbers, medical records, research grants, and employment contracts.
Two hacking groups were identified as being involved, one of whom was tied to a ransomware group that attempted to extort those affected for financial gain. More recent reports claim multiple threat groups took advantage of the vulnerability.
Since the data breach, Accellion claims that all known vulnerabilities in the FTA software have been closed and that the platform has been discontinued.
Who was affected by the Accellion breach?
The data breach affected approximately 300 organizations worldwide spanning several industries, including many places of higher learning and healthcare organizations.
Some of the most high-profile victims of the breach include the Shell Oil Company, the University of California, Stanford University School of Medicine, the Australian Securities and Investments Commission, the Reserve Bank of New Zealand, the Kroger supermarket chain, the University of Maryland in Baltimore, the University of Miami, the University of Colorado, law firm Jones Day, and the Washington State Auditor (SAO).
The number of individual victims runs into the millions.
How could it have been prevented?
Any kind of file-sharing software, or any third-party software that forms part of your supply chain, should be subjected to a thorough risk assessment before use. Having an accredited risk framework in place will ensure the proper processes are in place to identify possible threats before it's too late.
Most of the data shared using the FTA was sensitive in nature. Privacy laws such as HIPAA, which applies to the medical industry, FERPA, which applies to the educational sector, and the GLBA, which governs the privacy of financial information, require organizations to safeguard the privacy of sensitive data. This can be achieved with a proper security framework and protocols, used in unison with data protection software.
A data protection solution like data masking secures data at all levels within an organization. It works by de-identifying sensitive data elements at the development or production level, ensuring any data that is accessed by employees or shared outside of the business cannot be used to identify an individual or extorted for financial gain.
The advantage of data masking is that companies can still leverage data for testing and analytical purposes as only predefined identifiable elements are masked.
Take action now
Data breaches are expensive and can be catastrophic for businesses. Many of the organizations affected by the Accellion breach are facing heavy fines and lawsuits. Taking pre-preventative action and safeguarding sensitive data is the most effective way of preventing incidents like data breaches and ransomware attacks.
Hush-Hush Data Masking Components de-identify sensitive data in your organization quickly and easily by using a variety of patented algorithms to satisfy multiple scenarios and compliance requirements. The Hush-Hush data masking tool anonymizes data in databases, files, messages, and in-memory during runtime, and can be run on a configured schedule or ad-hoc as needed. Our software is trusted by hundreds of users to anonymize sensitive data both on-premises and in the cloud.
Request a free demo or trial today.