Cyber Incident Victim: Durham Region

Durham Region experienced a cyberattack in January 2021, with the breach publicly acknowledged following a statement from regional officials. The attackers exploited a vulnerability in a third-party software provider, though the region’s initial communication did not identify the provider or specify the attack’s origin. Regional systems were secured after the exploit was detected, and the vulnerability was addressed. Cybersecurity researchers linked the incident to the CLOP threat actor group, which published approximately 6.5 GB of data allegedly exfiltrated from durham.ca on its leak site. CLOP’s involvement raised questions about whether the group directly conducted the attack or leveraged data obtained through affiliates. The slow download speeds from CLOP’s site temporarily limited broader dissemination of the stolen data.

Subsequent analysis confirmed the breach stemmed from vulnerabilities in Accellion’s legacy File Transfer Appliance (FTA), which Durham Region used for secure file transfers. Attackers exploited one of four Accellion FTA vulnerabilities CLOP had identified, with the compromise date aligning with January 21, 2021. Directory structures within the leaked data, including folders named with email addresses, matched patterns observed in other Accellion-related breaches. The exposed files contained sensitive child-related and student-related information, heightering risks of identity theft and targeted phishing campaigns. Durham Region did not initially disclose the full scope of impacted data, though experts urged affected individuals to verify communication authenticity due to potential extortion attempts or socially engineered scams. The incident underscored operational disruptions and data exposure risks associated with third-party software dependencies.