Cyber Incident Victim: Royal Dutch Shell
Date:
Jan 2021
Location:
United States of America
Summary
Shell experienced a data breach stemming from exploited vulnerabilities in Accellion's legacy File Transfer Appliance (FTA), which allowed unauthorized access to files containing personal data and information related to the company and its stakeholders during a limited period. The compromised system was isolated from core IT infrastructure, mitigating broader impacts. The organization engaged affected individuals, stakeholders, and regulators while investigating the incident. The attack campaign, linked to cybercrime groups resembling FIN11 and Clop ransomware operators, also impacted other entities including a national central bank, aerospace firms, retailers, and legal organizations. Accellion reported that a minority of its FTA customers experienced significant data theft as part of this exploitation.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
Shell disclosed in March 2021 that it suffered a data breach stemming from vulnerabilities in Accellion’s legacy File Transfer Appliance (FTA) product. The company confirmed unauthorized access to files during a limited period, with compromised data including personal information and records from Shell subsidiaries and their stakeholders. Shell emphasized that its core IT systems remained unaffected due to the FTA’s isolation from primary infrastructure. Upon discovering the breach, the company patched the exploited vulnerabilities and initiated an investigation. Shell notified impacted individuals and stakeholders, offering support to address potential risks, and engaged with relevant regulatory authorities throughout the investigation. The exact timeline of the breach and the specific vulnerabilities leveraged remained undisclosed, though Shell’s statement indicated prompt containment efforts.
The incident was part of a broader campaign targeting Accellion FTA users between December 2020 and January 2021. Accellion had patched two zero-day vulnerabilities in late December, but attackers exploited a third flaw in January to compromise organizations, including Shell. Other confirmed victims included Singtel, the Reserve Bank of New Zealand, Bombardier, Kroger, and Jones Day. Security firm FireEye noted tactical overlaps with the FIN11 cybercrime group and the Clop ransomware operation, which leaked stolen data from some victims. Accellion reported that fewer than 100 of its approximately 300 FTA customers were affected, with under 25 experiencing substantial data theft. Shell’s breach highlighted the risks of legacy systems despite its assertion of segregated infrastructure limiting operational impact.