Washington State Breach Tied to Accellion VulnerabilityState Auditor Says Office Never Received Notification of Flaw or Patch
A data breach of a Washington state auditor's system exposed 1.4 million unemployment claimants’ records. The breach involved exploiting a flaw in Accellion's file transfer product, called File Transfer Appliance, and the state’s auditor says the office was never notified of the vulnerability and that a fix was available, the Seattle Times reports.
Organizations in New Zealand and Australia have also been affected by breaches tied to exploits of the vulnerability. But Accellion says it issued a patch in December 2020 and alerted all affected customers.
On Monday, the Washington State Auditor's Office acknowledged that it was investigating a breach that occurred in December 2020, when hackers took advantage of the vulnerability to access files that included the personally identifiable information of Washington state residents who filed unemployment insurance claims last year.
Compromised data includes names, Social Security numbers, driver's license numbers, state identification numbers, bank account numbers and bank routing numbers as well as places of employment, according to the announcement.
Data files from some local governments and other state agencies were also exposed, state officials note.
At a Monday press conference, State Auditor Pat McCarthy noted that the data that was exposed had been collected as part of an investigation into how the state Employment Security Department lost $600 million to fraudulent unemployment claims in 2020, the Seattle Times reports.
McCarthy said that Accellion never notified her office that the company's file transfer product contained a zero-day vulnerability that needed patching, the newspaper reports. "Absolutely not. We had no indication, no indication that this product was not secure,” she reportedly said.
Following McCarthy's remarks, Palo Alto, California-based Accellion issued a statement noting that the company has been aware of the vulnerability since December 2020 and had issued a patch and notification to customers within 72 hours of the flaw being discovered.
"Accellion [File Transfer Appliance], a 20-year-old product nearing end-of life, was the target of a sophisticated cyberattack," the company notes. "All FTA customers were promptly notified of the attack on December 23, 2020. At this time, Accellion has patched all known FTA vulnerabilities exploited by the attackers and has added new monitoring and alerting capabilities to flag anomalies associated with these attack vectors."
Other Accellion Incidents
In January, the Reserve Bank of New Zealand disclosed that hackers infiltrated its network after compromising its file-sharing system from Accellion. The nation’s central bank acknowledged that the attack may have exposed commercial and consumer information (see: Reserve Bank of New Zealand Investigates Data Breach).
Also in January, the Australian Securities and Investments Commission acknowledged a breach involving Accellion’s software, which the agency uses to transfer files and attachments (see: Australian Financial Regulator Hit by Data Breach).
While Accellion described the vulnerability in the File Transfer Appliance product as a "P0" flaw, other cybersecurity experts and government agencies, such as the Australian Cyber Security Center, describe the bug as more of a SQL injection.
The breaches tied to the unpatched Accellion system vulnerability demonstrate the security issues of the digital supply chain and relying on third-party software for critical tasks, says Mike Hamilton, the former CISO of Seattle.
These concerns about third-party software and supply chain vulnerability have been in the spotlight in the last two months due to the investigation around the SolarWinds hack (see: SolarWinds Hackers Cast a Wide Net).
"What it continues to drive home is the importance of third-party security. In this case, the state had provided an application for use. It’s more and more important to consider any provided applications as suspect until they’re evaluated," says Hamilton, who’s now the CISO of CI Security says.
Trevor Morgan, product manager with data security firm comforte AG, says third-supply suppliers and their customers need to communicate clearly about when tools are nearing end-of-life status and need to be upgraded or retired - as well about the vulnerabilities that show up in legacy software platforms.
"Accellion had been in the process for years of trying to get customers to upgrade from the legacy application in question to a more modern version,” he says. “Any organization that receives such advice from an application provider or vendor should heed the recommendation and work with the provider to close security holes through upgraded software.
"Perhaps Accellion wasn’t being persuasive enough? On top of that, organizations should be actively working with providers to discuss how strong the built-in security mechanisms are and perhaps performing an audit of existing security configurations to determine deficiencies and mitigation plans to tighten up security."