Accellion Data Breach Ensnares Energy Giant ShellMeanwhile, Clop Ransomware Group Turns Up the Heat on Another Victim
The Accellion File Transfer Appliance data breach continues to cause anguish. The energy company Shell has disclosed that it has been affected. Meanwhile, some customers of a Michigan-based bank have been informed that personally identifiable data has been exposed via the FTA breach.
Accellion disclosed in January that attackers had breached its 20-year-old FTA with a SQL injection zero-day vulnerability in mid-December. The situation escalated as attackers subsequently found more vulnerabilities and continued making attacks through January.
Some of that stolen data has ended up in the hands of the Clop ransomware gang, which is extorting affected companies. The group is exposing the data on a website to pressure victims to pay money to remove the data from public view (see Accellion: How Attackers Stole Data and Ransomed Companies).
Shell published a notice on March 16 saying that attackers gained access to personal data in its FTA "during a limited window of time" although it did not specify when. Shell's notification was first spotted by Bleeping Computer.
Shell says the data loss is confined to its FTA. "There is no evidence of any impact to Shell’s core IT systems as the file transfer service is isolated from the rest of Shell’s digital infrastructure," it says.
The company says it has contacted affected individuals and stakeholders as well as relevant regulators and authorities.
No data related to Shell has yet turned up on the Clop gang's website.
In a related development, Michigan-based Flagstar Bank has informed some customers that a breach of its FTA exposed their names, phone numbers, addresses and Social Security numbers. This news was first reported by Vice's Motherboard.
Flagstar had published a notice saying that it had been affected by Accellion but didn't offer many details.
One victim told Motherboard they hadn't had an account with the bank for more than a decade. Another said he didn't have a direct relationship with the bank, but his mortgage had been sold to Flagstar.
Kyle Lady, a Michigan resident, posted a screenshot on Twitter of a letter he received from Flagstar. He writes that he hasn't had an account at the bank for more than a decade, although he is a beneficiary on a family member's account.
love to have your name, address, phone number, and ssn on documents uploaded to a file transfer platform that gets popped. i haven't even had a @flagstar acct in a decade, must be from getting put on my mother's acct a few years back. pic.twitter.com/MvUXkD7cD5— Acting Deputy Secretary Kyle Lady (@kylelady) March 22, 2021
These cases raise questions as to how long the bank kept documents containing personally identifiable information on its FTA. A Flagstar spokeswoman declined to answer questions and referred to information previously posted on the company's website.
Flagstar warned customers that "those responsible for this incident are in some cases contacting Flagstar customers by e-mail and by telephone. These are communications from unauthorized individuals responsible for the Accellion incident, and you should not respond to them."
Accellion notified the bank on Jan. 22 that the FTA platform contained a vulnerability that had been exploited, Flagstar says. The bank permanently discontinued using the platform. It has contracted with Kroll to provide two years of credit monitoring, fraud consultation and identity theft restoration to those affected.
The Clop ransomware gang first started publishing the bank's data on its website on March 8. That included employee information, Vice's Motherboard reported a day later. The published material as of Tuesday morning included tax and mortgage documents, presumably from bank customers.
The Other Victims
Accellion has said it still had 300 FTA clients when the attacks occurred. The company said it believed fewer than 100 were victims of an attack, and fewer than 25 "appear to have suffered significant data theft" (see: The Accellion Mess: What Went Wrong?).
The clients that have turned up on the Clop gang's website include Singtel, one of Singpore's mobile carriers; Jones Day, a law firm; Transport for New South Wales, the Australian state's transport agency; and Qualys.
Other victims that have made public statement regarding a breach related to Accellion include the Washington State Auditor’s Office; the Australian Securities and Investments Commission, the country's financial regulator; the Reserve Bank of New Zealand; the University of Colorado and the supermarket chain Kroger.
The healthcare sector also has reported several data breaches tied to FTA. One of those victims, health insurer Centene, has sued Accellion, alleging the company has refused to comply with a list of provisions in its business associate agreement.
How illicit access to victims' FTAs ended up in the hands of a ransomware gang remains unknown.
On March 1, Accellion and FireEye Mandiant published the findings of their investigation into the attacks.
The first SQL injection vulnerability was exploited by a group FireEye Mandiant calls UNC2546. UNC stands for uncategorized, which means that it can't be linked yet to a known attack group. A few weeks later, some victims received ransom notes from a second group, which FireEye Mandiant calls UNC2582.
How the Clop gang enters into all of this is still under investigation. But FireEye Mandiant wrote there appears be some overlap between Clop, UNC2582 and another long-known group called FIN11, which has been around since at least 2016.