Cyber Incident Victim: University of Miami
Date:
Dec 2020
Location:
United States of America
Summary
The University of Miami suffered a data breach after threat actors exploited vulnerabilities in its third-party Accellion file transfer system, resulting in the dark web leak of files containing protected health information from its health system. The incident was isolated to the Accellion server, which was used for large file transfers and has been discontinued, without compromising other university networks. The university immediately investigated with expert assistance, reported the incident to law enforcement, and is analyzing the data to notify affected individuals; some leaked files also pertained to the Bruce W. Carter VA Medical Center, though the VA's involvement remains uncertain.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In December 2020 and January 2021, threat actors successfully exploited multiple vulnerabilities within an older version of the Accellion file transfer system, a third-party service used by numerous organizations for secure large-file transfers. Following the exploitation, the attackers initiated an extortion campaign against Accellion’s clients, demanding payment to prevent the public release of stolen data. A number of firms reportedly refused to pay these demands, leading the threat actors to publish the exfiltrated files on a known dark web leak site. On March 23, 2021, the University of Miami was added to this leak site, with the actors posting screenshots of files to pressure the institution into payment. The visible sample files appeared to contain protected health information, suggesting they originated from the university’s health system or hospital.
Upon learning of the leak, the University of Miami launched an investigation into a data security incident involving its Accellion server. The university’s initial assessment determined the breach was confined solely to that specific third-party server and did not extend to other University of Miami systems or any externally linked networks. Immediate containment actions were taken, including the permanent discontinuation of all Accellion file transfer services, which had been used by a limited number of university personnel. The university retained external cybersecurity experts to assist with the forensic investigation and reported the incident to law enforcement, pledging full cooperation. A communication was disseminated to the university community confirming the incident, reiterating that the attack was limited to the Accellion platform, and advising standard cybersecurity precautions such as vigilance against phishing. The investigation remained ongoing to analyze the exact data files within the compromised server and to identify all individuals whose personal or protected health information may have been accessed. The university committed to notifying all affected persons in compliance with applicable laws once the analysis was complete and provided a dedicated phone line for community inquiries. Separately, a sample file from the Bruce W. Carter VA Medical Center, a records request, was observed among the leaked screenshots, though it was not clear whether the VA’s own systems were directly compromised or if the file was merely stored on the University of Miami’s Accellion server.