Cyber Incident Victim: University of Maryland, Baltimore
Date:
Mar 2021
Location:
United States of America
Summary
A ransomware group breached the University of Maryland's Baltimore campus through an Accellion file transfer system compromise, employing double-extortion tactics by encrypting data and threatening leaks. Stolen records included sensitive personal information such as Social Security numbers, passport details, federal tax documents, immigration statuses, birth dates, and academic records belonging to students, faculty, and staff. The attackers subsequently leaked samples of this data online, exposing financial and identification materials. The institution confirmed the incident, offered credit monitoring to affected individuals, and notified authorities while asserting no additional systems were compromised beyond the initial breach. The incident mirrored similar attacks against other universities linked to the same threat actors.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On March 29, 2021, the Clop ransomware group published screenshots of stolen data allegedly belonging to the University of Maryland, Baltimore, marking the public phase of a cyberattack initially linked to a breach of the university’s Accellion File Transfer Appliance (FTA) server in late December 2020. The attackers employed a double-extortion strategy, first deploying ransomware and then threatening to leak sensitive data unless ransom demands were met. Leaked documents included federal tax forms, tuition remission paperwork, nursing board applications, passports, and tax summaries, exposing personally identifiable information (PII) such as names, addresses, Social Security numbers, immigration statuses, and birth dates. The University of Maryland, College Park, initially confirmed the breach but later clarified that the compromised files pertained specifically to the Baltimore campus. The incident mirrored contemporaneous attacks by Clop against other academic institutions, including the University of California, Merced, which suffered similar data exposures involving retirement documents, benefit requests, and health savings enrollments.
The University of Maryland, Baltimore, responded by initiating credit monitoring services for affected individuals and notifying relevant authorities. University officials confirmed that the breach was isolated to the Accellion FTA system, with no evidence of further network compromise after March 29, 2021. The leaked data impacted students, faculty, and staff, exposing them to potential identity theft and financial fraud due to the sensitive nature of the stolen records. Clop’s tactics aligned with its broader campaign targeting vulnerabilities in Accellion FTA, as evidenced by prior breaches at the University of Miami, University of Colorado, and Shell. The group’s history of high-profile attacks, including a $50 million ransom demand against Acer, underscored the severity of the incident. While the university did not disclose whether ransom negotiations occurred, its public updates emphasized containment efforts and the specificity of the Baltimore campus as the primary affected entity.