Accellion: Massive International Data Breach That May Affect You

NOTICE: If you are a U.S. resident and received a data breach notice that mentions Accellion, contact the Arnold Law Firm at (916) 777-7777

accillion data breachYou may not have heard of Accellion, but software provided by the technology company may have exposed your personal information in one of the most extensive, complex data breaches of the year.

What is Accellion?

Accellion is a leading provider of firewall products intended to prevent data breaches. Accellion solutions are responsible for protecting the confidential information of more than 25 million individuals associated with more than 3,000 global corporations and government agencies, including NYC Health, KPMG, Kaiser Permanente, and National Park Service.

What happened?

In late December through late January, Accellion notified approximately 300 corporate customers of a cyberattack involving its widely used large file transfer software (FTA). FTA is a 20-year-old product nearing end-of-life, yet is still used by hundreds of organizations in the finance, government and insurance sectors to transfer sensitive files.

In late December 2020, Accellion discovered that authorized parties leveraged FTA software vulnerabilities to launch a series of cyberattacks. Numerous security incidents continued into January 2021, despite patches rapidly developed by Accellion to close these vulnerabilities.

The company claims that all known vulnerabilities were limited exclusively to FTA. Reportedly, Accellion has patched the exploited FTA vulnerabilities and has added monitoring and alerting capabilities to flag anomalies.

Compromised data varies by entity and collectively includes the following, so far:

  • Names
  • Social Security numbers
  • Driver license or state identification numbers
  • Dates of Birth
  • Bank account and routing numbers
  • Places of employment
  • Health information
  • Clinical data
  • Study and research data

Who was affected?

A complete list of affected organizations has not yet been released, and the number of data breach victims is expected to continue to grow. The following entities have confirmed a data breach involving Accellion:

  • Australian Securities and Investment Commission
  • Harvard Business School
  • Kroger Co. (current and former employees; pharmacy, health clinic, and money services customers)
  • New Zealand Reserve Bank
  • Optus (Australian telecom company)
  • QIMR Berghofer Medical Research Institute
  • Singtel (Singapore telecom carrier)
  • University of Colorado (students, prospective students, employees)
  • Washington State Auditor’s Office (1.4 million Washington residents who filed unemployment in 2020)

Additional FTA exploits continue to be a threat, and customers are encouraged to accelerate migration to other security solutions. Accellion reportedly had planned to retire the FTA product effective April 30, 2021.

Investigations are still in progress to identify the data, agencies, and individuals involved.

Accellion is a privately held cloud solutions provider based in Palo Alto, California. Founded in 1999, the company employs approximately 200 with annual revenues of $30 million USD.

Legal Action

In response to the massive data breach, class action lawsuits are currently being filed against Accellion.

The Arnold Law Firm will continue to monitor this data breach and provide updated information as our investigation continues.

NOTICE: If you are a U.S. resident and received a data breach notice that mentions Accellion, contact the Arnold Law Firm at (916) 777-7777 to discuss your situation and possibly developing legal options.