Cyber Incident Victim: Miami University

In December 2020 and January 2021, threat actors exploited multiple vulnerabilities in an older file transfer system provided by third-party vendor Accellion. The University of Miami was among several Accellion clients targeted in this campaign, which involved extortion demands threatening public data leaks if payments were not made. Attackers compromised the university's Accellion server, which was used by a limited number of individuals to transfer files too large for email. On March 23, 2021, the threat actors added the University of Miami to their dark web leak site, posting sample files containing protected health information (PHI) from the university's health system or hospital. Screenshots of these files were publicly displayed to pressure the institution into paying the ransom.

The University of Miami initiated an immediate investigation upon discovering the incident, engaging leading cybersecurity experts and coordinating with law enforcement. Officials confirmed the breach was contained to the Accellion server and did not compromise other university systems or external networks linked to their infrastructure. Use of Accellion services was permanently discontinued following the attack. While the investigation remained ongoing, preliminary findings indicated PHI exposure limited to files stored on the compromised server. The university began analyzing affected data to identify impacted individuals for notification under applicable laws. Community communications advised precautionary measures including credit monitoring and fraud alerts, while establishing a dedicated call center for inquiries. A records request from the Bruce W. Carter VA Medical Center appeared in leaked samples, though it remained unclear whether VA systems were independently compromised or if the file originated solely from Miami's server. No evidence suggested broader network infiltration beyond the retired file transfer service.