شناسهٔ خبر: 47019892 - سرویس سیاسی
نسخه قابل چاپ منبع: وال استریت ژورنال | لینک خبر

The Hack of a Small Tech Vendor Casts a Wide Net

The Accellion breach continues to ripple outward in courtrooms and at kitchen tables months after the initial hack.

صاحب‌خبر -

Theresa Hynes smelled something fishy in February when she received a letter at her Aurora, Colo., home awarding her unemployment benefits. She has a job.

Weeks later, a Best Buy Co. employee called to confirm Ms. Hynes had bought nearly $3,000 of merchandise with a credit card. She hadn’t.

A letter in March provided the 60-year-old some answers—and new questions. Flagstar Bank, a Midwestern financial firm that bought Ms. Hynes’s mortgage from another bank in 2018, said hackers stole her account information in January through a tech vendor’s tool. Ms. Hynes had never heard of the company in question: Accellion USA LLC.

The December breach of Accellion’s file-transfer tool shows how the blast radius from a cyberattack on a technology provider can widen over time, hitting individuals and businesses that don’t interact directly with the vendor.

The incident has spurred extortion schemes against some Accellion customers, as well as lawsuits by several affected consumers, and left victims like Ms. Hynes wondering how her own information could be used against her.

“This has nothing to do with any of my actions,” she said.

The more than two dozen organizations that say they were hit in the Accellion breach include the Reserve Bank of New Zealand, energy giant Royal Dutch Shell PLC, rail operator CSX Transportation Inc., cybersecurity firm Qualys Inc., and a string of U.S. universities and health insurance companies. A hacker gang known as “Clop” has posted stolen information online after extortion demands that victims say reach millions of dollars.

Accellion said it continues to support its clients in their forensic analysis and remediation. A representative for Accellion didn’t make company officials available for questions.

Attacking a tech provider allows hackers to reach many victims at once, said Phil Quade, chief information security officer of cyber firm Fortinet Inc. “When you’re an offensive operator, you want to figure out ways to scale,” he said.

Investigators have grappled with such scale in the damage from hacks of SolarWinds Corp.’s network-management software and Microsoft Corp.’s email software in recent months.

Accellion said attackers pounced on previously unknown vulnerabilities in its 20-year-old file-transfer application in December and January. The Palo Alto, Calif.-based company released patches, announced that it would discontinue the product and urged customers to switch to its more modern tool. Investigators at cybersecurity firm FireEye Inc. said the hack bore hallmarks of a criminal group operating out of post-Soviet states, which often deploys Clop ransomware, but didn’t discount that multiple groups could have collaborated.

The hackers weren’t able to jump into Accellion’s networks and accessed fewer than 100 clients’ data through the tool, Accellion said.

But damage quickly spread.

Grocery chain Kroger Co. reported to the Department of Health and Human Services on Feb. 19 that hackers accessed nearly 1.5 million pharmacy customers’ data transferred through Accellion’s application. A month later, Western Union Financial Services Inc. told the Maine attorney general that more than 15,200 of its customers, who transferred money at Kroger locations, also had sensitive data exposed.

A Western Union spokeswoman said the company had no evidence the breach affected money transfers. Kroger said that its internal networks remained secure but that it “discontinued the use of Accellion’s services” after the incident.

Companies vet vendors’ cybersecurity but can’t find every flaw. Some businesses try to mitigate risk through contracts with partners, which can lead to legal battles after a mishap.

Centene Corp. , which manages health insurance plans, claimed in Delaware court in March that Accellion breached its contract in part by refusing to foot the bill for the breach at a Centene subsidiary. Centene and Accellion, which has asked the court to dismiss the lawsuit, declined to comment on the litigation.

Business partners often haggle over cyber provisions in contracts, with larger customers holding the upper hand over smaller vendors, said Melissa Krasnow, a partner at VLP Law Group LLP. Whether vendors pay for breach costs is a key point of contention given that financial impacts can vary widely, she said.

“Those are the kinds of provisions you try to resist as a service provider,” said Ms. Krasnow, who isn’t involved in the case. “You might lose a large contract and client because of it. But is it worth that risk?”

Accellion customers say they spent significant resources responding to the breach.

At the University of Colorado system, a six-person security team in early February began manually combing through thousands of exposed files in search of personal data, according to people familiar with the matter.

“Initially it was damned alarming. It got more so as we peeled back that onion,” said Ken McConnellogue, the university’s vice president of communications. People purporting to be the hackers demanded $17 million to not publish university data in late February, he said, later dropping the sum to $5 million.

Mr. McConnellogue said university officials didn’t pay. “The idea we would trust them to do what they said they would do was totally unacceptable,” he added.

The university in April began sending notifications to students and employees whose data was compromised in more than 300,000 files that included Social Security numbers, academic records and school donation information. The school, which has switched to a new Accellion service, is still investigating.

Organizations swept up in the breach have suffered damage to their reputations.

After the Washington state auditor in February said more than 1 million unemployment beneficiaries had information exposed on the Accellion tool, some members of a Facebook support group bashed the state government’s data practices and traded privacy tips. Like many fraud victims, people who experienced subsequent identity theft are unsure if it stems from data stolen through Accellion’s tool or another breach.

The Washington state auditor declined to comment.

Ms. Hynes in Colorado estimated that she has spent up to 20 hours communicating with her state’s unemployment agency, Best Buy and Flagstar Bank about her identity theft. She said she is worried the fraudulent unemployment claim will affect her tax bill next year and fears that her mortgage is vulnerable.

A representative for Troy, Mich.-based Flagstar Bank pointed to a March statement offering customers free credit monitoring. That is little consolation for Ms. Hynes, who said she has begun receiving vague phishing texts seeking to make a deal on her house.

“I’ve never had to deal with so much nonsense ever,” she said.

—Jim Oberman contributed to this article.

Write to David Uberti at david.uberti@wsj.com

Copyright 2020 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8