Data from three universities published online in latest Accellion-related data breach
Three universities in the U.S. have had data stolen and published online in the latest data breaches related to a vulnerability in software from Accellion Inc.
The universities targeted were Stanford University, the University of Maryland, Baltimore, and the University of California at Berkeley, with one commonality among them: The stolen data was published by the Clop ransomware gang.
The Stanford data was stolen from the university’s School of Medicine and included names, addresses, email addresses, Social Security numbers and financial information, according to an April 1 story in the Stanford Daily. The university ticked the standard responses, such as hiring a cyber forensics firm, informing those affected and contacting law enforcement. There was no mention of ransomware being involved, although it was noted that access was gained through the Accellion File Transfer Appliance vulnerability.
By comparison, the University of Maryland, Baltimore did say that it had been targeted in a ransomware attack in December, with the stolen data being published this week. The data stolen in this case included a variety of personally identifiable information, including federal tax documents, passports, addresses and Social Security numbers.
Along with informing authorities, Yahoo News reported that the university decommissioned the Accellion system in February. Unlike Stanford, the University of Maryland, Baltimore appears to be more ahead of the game when it comes to responding, already offering security assistance including credit monitoring and identity restoration services to individuals whose documents were compromised.
There is no mention of ransomware in the breach of UC Berkeley, but as opposed to the other two universities there was a twist in its story. Holders of email accounts at UC Berkeley received email messages stating that their personal data had been stolen and would be released.
The list of known victims of the vulnerable version of Accellion FTA server includes Bombardier Inc., Jones Day, the Office of the Washington State Auditor, Qualys Inc. and Royal Dutch Shell plc., among others.
“When you use third parties, you are essentially taking on the security risk of that vendor, and if the Accellion breach at Stanford and elsewhere teaches us anything, it’s to ensure your suppliers have as strong a security posture as you do,” Demi Ben-Ari, co-founder and chief technology officer at security management firm Panorays Ltd., told SiliconANGLE. “Your organization likely wouldn’t rely on end-of-life appliances with vulnerabilities, but you may be doing just that when you open your network to other companies.”
Jerome Becquart, chief operating officer of identity solutions provider Axiad IDS Inc. noted that this illustrates the challenge organizations have to keep their various systems secure and up to date.
“As our digital ecosystem becomes more and more complex, the challenge of maintaining and patching systems is increasing exponentially,” Becquart said. “This is why we increasingly see the adoption of a platform approach to security and leveraging trusted cloud suppliers whenever possible is the only way forward.”
Photo: Stanford Medicine
A message from John Furrier, co-founder of SiliconANGLE:
Show your support for our mission by joining our Cube Club and Cube Event Community of experts. Join the community that includes Amazon Web Services and Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger and many more luminaries and experts.
We really want to hear from you, and we’re looking forward to seeing you at the event and in theCUBE Club.