Cyber Incident Victim: QIMR Berghofer Medical Research Institute
Date:
Dec 2020
Location:
Australia
Summary
QIMR Berghofer Medical Research Institute experienced a data breach through a zero-day vulnerability in Accellion's legacy FTA file transfer service, exploited before a security patch could be applied. Attackers accessed anonymized clinical trial participant data—including demographic information, coded identifiers, and limited medical histories—alongside approximately 30 employee resumes stored on the compromised system. The de-identified nature of the clinical data prevented direct notification of malaria study participants, though no personally identifiable information was confirmed exposed in the incident.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The QIMR Berghofer Medical Research Institute disclosed a data breach on February 11, 2021, stemming from a zero-day vulnerability in Accellion’s legacy File Transfer Appliance (FTA) software. Threat actors exploited this vulnerability on December 25, 2020, accessing approximately 4% (620MB) of data stored on the FTA system. QIMR Berghofer first received notification from Accellion to patch the vulnerability on January 4, 2021, but was not informed of the actual breach until February 2, 2021. The compromised data included de-identified clinical trial participant information such as initials, date of birth, age, gender, ethnic group, and participant codes, alongside some anonymized medical histories. Approximately 30 employee resumes stored on the FTA system were also accessed. The institute confirmed the data was anonymized prior to storage, with participants referenced only by codes to protect identities, which simultaneously prevented direct notification of affected individuals.
QIMR Berghofer utilized Accellion’s FTA service to share clinical trial data for anti-malaria drug research and collaborate with the Mosquito and Arbovirus Research Committee. The breach exposed operational details of these trials but did not compromise personally identifiable information due to pre-existing anonymization protocols. Despite the lack of direct identifiers, the institute acknowledged the sensitivity of the accessed health data and the potential risks associated with aggregated de-identified information. No evidence suggested misuse of the data at the time of disclosure. QIMR Berghofer issued a public statement detailing the incident’s scope and provided contact information for concerned stakeholders, emphasizing transparency while highlighting the limitations in participant outreach due to anonymization practices. The institute did not report taking additional containment measures beyond Accellion’s patch deployment, as the FTA system’s role in the breach had already been mitigated by the time of notification.