Cyber Incident Victim: Accellion
Date:
Jan 2021
Location:
United States of America
Summary
A cyberattack exploiting vulnerabilities in Accellion's legacy file transfer application compromised multiple clients, leading to data theft and extortion demands by threat actors. The attackers, identified as CLOP, threatened to publicly release stolen information unless victims paid ransoms, resulting in data dumps for entities refusing compliance. Impacted organizations spanned various sectors, including higher education institutions, legal firms, telecommunications providers, and financial services, with sensitive data from thousands of individuals exposed. Accellion initially addressed a critical vulnerability but later discovered additional flaws as attackers persisted, exacerbating the breach's scope. The incident forced affected clients into difficult decisions regarding ransom payments while disputing responsibility for the compromised systems.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The Accellion data breach emerged publicly in January 2021 when the California-based cloud solutions firm disclosed unauthorized access to its legacy File Transfer Appliance (FTA) product. Accellion characterized the incident as involving a zero-day vulnerability initially detected in mid-December 2020, for which they developed and deployed a patch within 72 hours. The company estimated approximately 50 clients were affected and claimed all impacted entities received notification by December 23, 2020. However, subsequent investigations revealed additional vulnerabilities as attackers continued exploiting the FTA system through January 2021, prompting Accellion to issue updated statements in early February acknowledging the expanded attack surface.
Multiple organizations confirmed breaches through their Accellion FTA implementations beginning in February 2021. The CLOP ransomware gang claimed responsibility for data exfiltration and extortion attempts, threatening to publish stolen data unless victims paid ransoms. Jones Day law firm became the first publicly identified extortion target on February 13 when CLOP dumped alleged firm data on dark web leak sites after reportedly receiving no response to ransom demands. Numerous additional victims followed, including Singapore Telecommunications (SingTel), which disclosed the compromise affected 129,000 customers and employees; transportation agency Transport for New South Wales; universities such as Colorado, Miami, Stanford, and Maryland; and corporations including Bombardier, Qualys, and Shell. CLOP systematically added victim organizations to its leak site throughout March 2021, with confirmed data dumps occurring as late as March 29 for UCnet University of California. While some entities like Jones Day maintained their internal systems weren't breached, attributing the incident solely to Accellion's compromised platform, CLOP asserted direct targeting of the victim organizations themselves. The attacks resulted in confirmed data exposure for at least 18 named entities across government, education, legal, and corporate sectors, with extortion demands and publication timelines varying by victim.