Cyber Incident Victim: University of Maryland, College Park
Date:
Mar 2021
Location:
United States of America
Summary
The University of Maryland, College Park suffered a security incident when the Clop ransomware group exploited a vulnerability in its Accellion file transfer system, leading to the theft and subsequent online publication of sensitive data. The compromised files contained personal information including names, addresses, Social Security numbers, tax documents, passport details, and immigration status of students, faculty, and staff. As part of a double-extortion strategy, Clop first deployed ransomware and then threatened to leak data, having previously targeted other educational institutions. The university responded by offering credit monitoring services to affected individuals and notifying relevant authorities, asserting that no further system compromise occurred after the initial breach.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The Clop ransomware group initiated a data leak campaign against the University of Maryland, College Park, by publishing screenshots and files allegedly stolen from the institution on March 29, 2021. This action was part of Clop's established 'double-extortion' strategy, where ransomware is deployed and, if a ransom is not paid, the exfiltrated data is threatened and then publicly released. The leaked materials included sensitive documents such as federal tax forms, tuition remission paperwork, nursing board applications, passports, and tax summaries, exposing personally identifiable information including names, addresses, Social Security numbers, immigration status, and birth dates. This breach was traced to a compromise of the university's Accellion File Transfer Appliance (FTA) server, which occurred in late December 2020. The attack on the University of Maryland, College Park, was concurrent with similar operations by Clop against other educational institutions, including the University of California, Merced, where leaked data contained Social Security numbers, retirement documents, benefit requests, and health savings plan enrollments.
Following the public leak, the University of Maryland, College Park, officially confirmed that its Accellion system had been breached, affecting files containing personal data for students, faculty, and staff. In response, the university implemented several containment and remediation steps, including offering credit monitoring services to all impacted individuals and notifying relevant authorities about the security incident. A critical clarification was later provided, noting that while the University of Maryland, College Park, suffered the Accellion breach, the specific files published by Clop on March 29 primarily pertained to the University of Maryland, Baltimore campus, not the College Park location. The university stated that no further system compromise occurred after the data leak publication date of March 29, 2021, indicating the active intrusion phase had been halted. This incident underscored the vulnerability of legacy file transfer systems used by large organizations and demonstrated the continued predatory focus of the Clop gang on the education sector, following earlier leaks from universities in Miami and Colorado.