UPDATED 22:35 EDT / MARCH 22 2021

SECURITY

Oil and gas company Shell suffers Accellion-related data breach

Multinational oil and gas company Royal Dutch Shell plc is the latest victim of a data breach related to a vulnerability in software from Accellion Inc.

In a statement last week, Shell said that the data security incident involved Accellion’s File Transfer Appliance that it uses to transfer large data files securely. The data accessed, during a “limited window of time” according to Shell, included some personal data along with data from Shell companies and some of their stakeholders. Shell noted that there is no evidence of any impact on their core information technology systems, since the fire transfer service is isolated from the rest of the company’s infrastructure.

“Upon learning of the incident, Shell addressed the vulnerabilities with its service provider and cybersecurity team and started an investigation to better understand the nature and extent of the incident,” Shell said. Those affected have been contacted to address possible risks with Shell also informing relevant regulators and authorities.

Exactly who was behind the data breach was not specified. Previous attacks have included the Clop ransomware gang and FIN11, according to Bleeping Computer. There’s no evidence at the time of writing that any of the stolen data from Shell has been published.

Previous victims who were using the vulnerable version of Accellion FTA server include Bombardier Inc.Jones Day, the Office of the Washington State Auditor and more recently Qualys Inc. In the case of Qualys, the Clop ransomware gang published screenshots of files allegedly belonging to the company to their leaks site.

“This is another example of an organization’s responsibilities when it comes to protecting data and ensuring customer privacy,” Purandar Das, chief executive officer and co-founder at data security firm Sotero Inc., told SiliconANGLE today. “Most organizations have been focused on protecting their internal networks and assuming that data when shared or transferred is the responsibility of the receiving party or the software/services provider.”

The upshot is that organizations have to think beyond their internal networks, he added. “Customers or consumers provide data to a company assuming they will own security and privacy regardless of where the data is transferred or how it gets moved around,” he said. “A loss of this data or a beach of this responsibility is still a reflection on the company that collected the data.”

Tim Mackey, principal security strategist at electronic design automation company Synopsys Inc.’s Cybersecurity Research Center, noted that the attack shows that proper security isn’t simply a matter of protecting servers with firewalls and desktops with anti-malware software.

“Attackers will find a weak link and if transferred data is in a consumable format, such as in plain text, then the damage from a compromise is that much greater,” Mackey said. “This is a perfect example of where threat models play a role. A forensic analysis will seek to determine key questions like who verified whether the file transfer service setup by Accellion was patched and who determined the file format used for the transfer.”

Photo: Snappy Goat

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU