Multinational oil and gas company Royal Dutch Shell plc is the latest victim of a data breach related to a vulnerability in software from Accellion Inc.

In a statement last week, Shell said that the data security incident involved Accellion’s File Transfer Appliance that it uses to transfer large data files securely. The data accessed, during a “limited window of time” according to Shell, included some personal data along with data from Shell companies and some of their stakeholders. Shell noted that there is no evidence of any impact on their core information technology systems, since the fire transfer service is isolated from the rest of the company’s infrastructure.

“Upon learning of the incident, Shell addressed the vulnerabilities with its service provider and cybersecurity team and started an investigation to better understand the nature and extent of the incident,” Shell said. Those affected have been contacted to address possible risks with Shell also informing relevant regulators and authorities.

Exactly who was behind the data breach was not specified. Previous attacks have included the Clop ransomware gang and FIN11, according to Bleeping Computer. There’s no evidence at the time of writing that any of the stolen data from Shell has been published.

Previous victims who were using the vulnerable version of Accellion FTA server include Bombardier Inc., Jones Day, the Office of the Washington State Auditor and more recently Qualys Inc. In the case of Qualys, the Clop ransomware gang published screenshots of files allegedly belonging to the company to their leaks site.

“This is another example of an organization’s responsibilities when it comes to protecting data and ensuring customer privacy,” Purandar Das, chief executive officer and co-founder at data security firm Sotero Inc., told SiliconANGLE today. “Most organizations have been focused on protecting their internal networks and assuming that data when shared or transferred is the responsibility of the receiving party or the software/services provider.”

The upshot is that organizations have to think beyond their internal networks, he added. “Customers or consumers provide data to a company assuming they will own security and privacy regardless of where the data is transferred or how it gets moved around,” he said. “A loss of this data or a beach of this responsibility is still a reflection on the company that collected the data.”

Tim Mackey, principal security strategist at electronic design automation company Synopsys Inc.’s Cybersecurity Research Center, noted that the attack shows that proper security isn’t simply a matter of protecting servers with firewalls and desktops with anti-malware software.

“Attackers will find a weak link and if transferred data is in a consumable format, such as in plain text, then the damage from a compromise is that much greater,” Mackey said. “This is a perfect example of where threat models play a role. A forensic analysis will seek to determine key questions like who verified whether the file transfer service setup by Accellion was patched and who determined the file format used for the transfer.”

Photo: Snappy Goat