[BreachExchange] Data from three universities published online in latest Accellion-related data breach

Mon Apr 5 10:44:06 EDT 2021

https://siliconangle.com/2021/04/04/data-three-universities-published-online-latest-accellion-related-data-breach/

Three universities in the U.S. have had data stolen and published online in
the latest data breaches related to a vulnerability in software from
Accellion Inc.

The universities targeted were Stanford University, the University of
Maryland, Baltimore, and the University of California at Berkeley, with one
commonality among them: The stolen data was published by the Clop
ransomware gang.

The Stanford data was stolen from the university’s School of Medicine and
included names, addresses, email addresses, Social Security numbers and
financial information, according to an April 1 story in the Stanford Daily.
The university ticked the standard responses, such as hiring a cyber
forensics firm, informing those affected and contacting law enforcement.
There was no mention of ransomware being involved, although it was noted
that access was gained through the Accellion File Transfer Appliance
vulnerability.

By comparison, the University of Maryland, Baltimore did say that it had
been targeted in a ransomware attack in December, with the stolen data
being published this week. The data stolen in this case included a variety
of personally identifiable information, including federal tax documents,
passports, addresses and Social Security numbers.

Along with informing authorities, Yahoo News reported that the university
decommissioned the Accellion system in February. Unlike Stanford, the
University of Maryland, Baltimore appears to be more ahead of the game when
it comes to responding, already offering security assistance including
credit monitoring and identity restoration services to individuals whose
documents were compromised.

There is no mention of ransomware in the breach of UC Berkeley, but as
opposed to the other two universities there was a twist in its story.
Holders of email accounts at UC Berkeley received email messages stating
that their personal data had been stolen and would be released.

The list of known victims of the vulnerable version of Accellion FTA server
includes Bombardier Inc., Jones Day, the Office of the Washington State
Auditor, Qualys Inc. and Royal Dutch Shell plc., among others.

“When you use third parties, you are essentially taking on the security
risk of that vendor, and if the Accellion breach at Stanford and elsewhere
teaches us anything, it’s to ensure your suppliers have as strong a
security posture as you do,” Demi Ben-Ari, co-founder and chief technology
officer at security management firm Panorays Ltd., told SiliconANGLE. “Your
organization likely wouldn’t rely on end-of-life appliances with
vulnerabilities, but you may be doing just that when you open your network
to other companies.”

Jerome Becquart, chief operating officer of identity solutions provider
Axiad IDS Inc. noted that this illustrates the challenge organizations have
to keep their various systems secure and up to date.

“As our digital ecosystem becomes more and more complex, the challenge of
maintaining and patching systems is increasing exponentially,” Becquart
said. “This is why we increasingly see the adoption of a platform approach
to security and leveraging trusted cloud suppliers whenever possible is the
only way forward.”
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210405/e595537a/attachment.html>