Risk Update

Accellion-related Law Firm Security Breaches in Focus

I just spotted the story below, which was published in January. That makes three firms known to be affected by the Accellion breach. That got me looking into more details, which I thought I’d share. First: “Australian Law Firm Allens Falls Prey to Cyberattack” —

  • “The top-tier Australian law firm Allens was struck in a cyberattack after an IT company it used to share sensitive information and client data was compromised, according to a media report.”
  • “The Australian Financial Review reported that a file-sharing system provided by Californian cloud company Accellion and used by Allens was accessed illegally earlier this month.”
  • “The sensitive information shared via Accellion included commercial-in-confidence documents related to Westpac, an Australian bank and financial services provider, in its defense of a case in which it was charged with breaching anti-money laundering laws, the newspaper reported.”
  • “In a statement, Palo Alto-based Accellion said it was made aware of the vulnerability in mid-December and released a patch within 72 hours. Fewer than 50 customers were affected, it said.”

Hack of Software Provider Accellion Sets Off Global Ripple Effects” —

  • “The hack of software provider Accellion USA LLC has renewed security experts’ fears of attacks on suppliers and highlighted the difficulty of defending against them in real time.”
  • “A growing list of affected customers have shared timelines of the attack and claims of inadequate software patches that at times contradict the vendor’s account of events. The disclosure this week that victims include Jones Day—a law firm that handles sensitive information for clients—underscores how individuals who don’t interact with Accellion directly nonetheless might be exposed, security experts say.”
  • “Palo Alto, Calif.-based Accellion said in a Jan. 12 blog post that it learned in mid-December of a vulnerability in its File Transfer Appliance software, a 20-year-old tool to share large documents. ‘Accellion resolved the vulnerability and released a patch within 72 hours to the less than 50 customers affected,’ the company said. In an update posted Feb. 1, Accellion said it notified “all FTA customers” of the vulnerability on Dec. 23.”
  • “Some customers affected by the hack have offered a different sequence of events. The Washington State Auditor’s Office, which reported that personal data of more than 1 million applicants for unemployment benefits might have been accessed through the FTA tool, said in a Feb. 1 news release that it ‘first learned of the incident on Jan. 12.'”
  • “Accellion shared information ‘over the next few weeks’ that helped the office conclude it was affected, Kathleen Cooper, a spokeswoman for the Washington State Auditor’s Office, said in a statement.”
  • “New Zealand’s central bank reported some of its files stolen in the attack… ‘Accellion failed to notify the bank for five days that an attack was occurring against its customers around the world, and that a patch was available that would have prevented this breach,’ bank Governor Adrian Orr said in a Feb. 9 statement.”
  • “The conglomerate Singapore Telecommunications Ltd. , known as Singtel, reported that the incident lasted weeks and led to hackers taking data, including information from 129,000 individual customers and 23 enterprises such as suppliers and corporate clients.”

Accellion Hack Prompts Class Action From Washington Residents” —

  • “Accellion Inc. is to blame for a recent hack of the Washington State Auditor’s Office because it negligently marketed the outdated file transfer system targeted in the cyberattack, according to a new proposed class action filed in California federal court.”

Accellion Security Incident Impacts Kroger Family of Companies Associates and Limited Number of Customers” —

  • “The Kroger Co. (NYSE: KR) Family of Companies today confirmed that it was impacted by the data security incident affecting Accellion, Inc. Accellion’s services were used by Kroger, as well as many other companies, for third-party secure file transfers.”
  • “At this time, based on the information provided by Accellion and its own investigation, Kroger believes that less than 1% of its customers, specifically customers of Kroger Health and Money Services, have been impacted. In addition, current and certain former associates will be notified that certain HR records have been impacted.”