Cyber Incident Victim: Stanford University
Date:
Mar 2021
Location:
United States of America
Summary
Stanford University was impacted by a cyberattack involving the exploitation of a vulnerability in Accellion's File Transfer Appliance (FTA), alongside other educational institutions, government entities, and private organizations. The FIN11 hacking group stole and subsequently published sensitive data, including personal information, on a Tor-based leaks site as part of a broader campaign targeting Accellion FTA users. The breach stemmed from unauthorized access to the legacy file-sharing service, which had been used to transfer large files, leading to significant data compromise across multiple sectors.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In March 2021, Stanford University was implicated in a cybersecurity incident involving unauthorized access to Accellion’s legacy File Transfer Appliance (FTA) service. The breach impacted multiple organizations globally, including Shell, Qualys, Kroger, Jones Day, Bombardier, the Washington State Auditor’s Office, and several universities. Cybercriminals affiliated with the FIN11 hacking group exploited vulnerabilities in Accellion’s FTA, a file-sharing service nearing retirement, which had approximately 300 customers at the time. Up to 25 organizations experienced significant data compromise. Stanford was explicitly named among the affected educational institutions alongside the University of Miami, Yeshiva University, University of Maryland, University of California, and University of Colorado. FIN11 subsequently published stolen data on a Tor-based leaks website typically used to extort victims of Clop ransomware attacks. Shell confirmed attackers exfiltrated corporate data and employee personal information during the incident, though Stanford did not publicly disclose the specific nature or volume of its compromised data.
The University of Miami, another affected institution, issued a breach notification on March 26, 2021, confirming unauthorized access to its Accellion FTA instance, which had been used by a limited number of individuals to transfer large files. Miami discontinued the service immediately after discovering the breach. FIN11 leaked UHealth patient data, including names, phone numbers, and email addresses. While Stanford’s specific response measures were not detailed in available reports, the broader incident highlighted the targeting of entities across medical, legal, telecommunications, retail, energy, and higher education sectors. The Washington State Auditor’s Office breach alone impacted over 1 million individuals, underscoring the scale of the Accellion compromise. No further technical details regarding Stanford’s detection methods, containment procedures, or direct operational impacts were publicly confirmed.