Skip to main content
Article

Client alert: Accellion cyber incident

Cyber Risk Management|Financial, Executive and Professional Risks (FINEX)
N/A

March 11, 2021

Risk impacts and considerations stemming from the cyberattack on Accellion FTA (File Transfer Appliance).

Accellion FTA (File Transfer Appliance), a 20-year old product nearing end-of life, was the target of a sophisticated cyberattack on or around December 23, 2020. Although it has been in the market for some time, it is still used by hundreds of organizations in the finance, government and insurance sectors, along with law firms, to address a recognized need: the transfer of large, sensitive files that exceed the email attachment size limit. Given its age and wide use in sharing large files with external parties, Accellion was a particularly attractive target. As applications such as OneDrive, Google Drive, Box, Dropbox and Microsoft Teams did not exist at the time that FTA was born, many companies adopted the appliance at inception. Over the last few months, however, several SQL and a number of other vulnerabilities of the appliance were uncovered and exploited.

The Accellion cyber incident is thought to have impacted at least 300 Accellion customers, but the damage continues to be unveiled. While exploiting vulnerabilities in vendor software is not an uncommon pastime for bad actors, what’s different about the Accellion event is the nature of the data being breached and the size of the ransoms being demanded.

Situation

Accellion is a privately held company based in Palo Alto, California, which developed the File Transfer Appliance (FTA) as a secure way to overcome limits imposed on the size of email attachments. As files are fed through the FTA, it creates a URL for each document. Recipients then receive these links to files hosted on the FTA, which can be downloaded.

While any piece of software can have vulnerabilities, a recent external audit of FTA found no problems and claimed the vulnerabilities were hard to find. Zero-day vulnerabilities were discovered in the FTA software in December 2020 and a SQL injection flaw was exploited.1 Accellion released a fix within 72 hours of the attack, but the initial incident was the beginning of a series of cyberattacks on the FTA product that continued into January 2021. Accellion identified additional exploits in the ensuing weeks and rapidly developed and released patches to close each vulnerability. The company has provided notifications to its customers and continues to work closely with those customers affected in order to mitigate the impact of the attack and monitor for anomalies.2 Unfortunately, the vulnerable FTA product has apparently impacted the security of numerous consumer firms, including:

  • A government agency - 1.6 million unemployment claims may have been exposed through its FTA
  • A federal reserve bank – exposing transactions and sensitive documents
  • Two of the largest law firms in the country - where confidential client data, employee and firm communications were breached as a result of FTA vulnerabilities
  • A university – where student, prospective student and employee personally identifiable information, along with limited health data, clinical data, study and research data was exposed
  • A large telecommunications company where FTA was utilized for internal and external information sharing with stakeholders, experienced a data breach as a result of the vulnerabilities in the FTA product. Customer data and certain files were breached.
  • A large grocery store chain – where customer data, including sensitive health and money service data has been breached. In addition, current and former employee human resources (HR) records were impacted.
  • An airplane manufacturer, also affected by the Accellion “supply-chain” breach, reports that personal and other confidential information relating to employees, customers and suppliers was compromised.

In all cases, the Accellion FTA file transfer platform was compromised and information taken. Ransomware demands were significant - ranging from 2x to 10x traditional ransomware payments. Originally Accellion claimed that less than 50 customers had been impacted, but more recent counts place the volume closer to 300+ customers. Consequently, Accellion announced the official retirement of the FTA product as of April 2021, recommending that customers migrating to its newer product, kiteworks.3

Actionable recommendations

The attack on Accellion and its FTA software, highlights the criticality of examining third-party software at a regular frequency in order to persistently protect confidential client data, privacy and cybersecurity. If your firm makes FTA software available to employees and contractors, consider disabling access to the software and taking down and backing up related files is advised. Finding an alternative file sharing mechanism that meets current security standards is also advised.

While transitioning to a new platform may provide discomfort for users, the security of personal, client and company information is paramount and well worth the allocation of resources required to secure. Providing comprehensive user guidance for new file sharing capabilities is strongly advised to support the ongoing cybersecurity training of employees.

Insurance considerations

The Accellion incident represents another example of how understanding your organizational cyber risk exposure can maximize the value of cyberinsurance. The FTA zero-day vulnerabilities and recent SolarWinds events continue to heighten awareness of the importance of preparing a plan for mitigating cyber risks. Given the data privacy and ransomware concerns associated with these incidents, having a strong cyberinsurance strategy is paramount.

Willis Towers Watson can assist your organization in assessing your organizational cyber risk with its Cyber Quantified decision-support tool. Cyber Quantified evaluates a firm’s complete cyber loss potential with decision support to optimize risk management strategy. The tool interactively incorporates network outage risk and privacy breach liability. Using Cyber Quantified can support your organization in determining the right insurance structure to best support your organization. The Cyber Risk Solutions team can also provide tailored cyber consulting solutions that support insurance goals, align cyber risk management with business objectives, and deliver cost effective Cyber Risk Resilience.

Why Willis Towers Watson

More than half of all cyber incidents begin with the cyber culture of an organization, the feeling towards and treatment of cybersecurity by its employees. Cyber incidents are quite frequently a people problem. The average breach costs $4 million, so it is also a capital problem. As a global leader in human capital solutions, risk advisory and broking, we are well prepared to assess your cyber vulnerabilities, protect you through best-in-class solutions, understand your cyber risk exposure, and radically improve your ability to successfully recover from future attacks.

Footnotes

1 https://www.accellion.com/company/press-releases/accellion-provides-update-to-recent-fta-security-incident/

2 https://gizmodo.com/the-accellion-data-breach-seems-to-be-getting-bigger-1846250357

3 https://www.accellion.com/company/press-releases/accellion-provides-update-to-recent-fta-security-incident/

Contact

GB Head of FINEX Financial Institutions

Contact Us