A number of higher education institutions have confirmed being impacted by a data breach stemming from a vulnerability in file transfer software provided by IT security company Accellion. This issue has led to the unauthorized access and theft of sensitive data, although the full extent of the breach remains unclear.
The breach has affected several prominent universities, including the University of California system, Yeshiva University, the University of Miami, the University of Colorado, Stanford University’s School of Medicine, and the University of Maryland, Baltimore. Evidence of this data theft was found on the dark web, linked to a cyberattack involving Accellion’s software earlier this year. The compromised data includes Social Security numbers, academic transcripts, medical records, research grants, and employment contracts.
It has been reported that the stolen data was made available on a website named Cl0p, operated by cybercriminals, which often publishes samples of stolen data and demands ransom to prevent further release. Despite the breach, no affected institution has yet reported being subjected to a ransomware attack.
A vulnerability in Accellion’s software, initially exploited in December 2020 and again in January 2021, was identified in a report by FireEye, a cybersecurity forensics company. Accellion services over 3,000 organizations, including companies, government agencies, hospitals, and universities, specializing in secure file sharing.
Brett Callow, a threat analyst at cybersecurity company Emsisoft, noted that the Cl0p website has been publishing stolen data in stages, suggesting that further disclosures, potentially involving additional universities, could occur.
The data breach signifies a growing cyber threat to educational institutions. Recently, the FBI’s Cyber Division warned about the targeting of these institutions in ransomware attacks, and the IRS highlighted a tax refund scam focusing on .edu email addresses. Moody’s Investors Service also pointed out the rising credit risk for universities due to potential disruptions caused by cyberattacks.
Following the breach discovery, the University of Maryland, Baltimore, responded by contacting individuals affected and coordinating with law enforcement. The university continues to monitor for any illegal activities associated with the breach.
Accellion has addressed the known vulnerabilities in the attacked software, as stated by CEO Jonathan Yaron. The software in question, described as a legacy product, is now scheduled for earlier retirement.
In response to these events, institutions like Yeshiva University and the University of Miami have ceased using Accellion’s compromised software, focusing on investigating the incident and safeguarding against future breaches.
Experts like Brian Kelly, director of cybersecurity for Educause, emphasize the importance of regular dark web monitoring as part of a comprehensive cybersecurity strategy for educational institutions. Resources like the Research and Education Networks Information Sharing and Analysis Center (REN-ISAC) at Indiana University are pivotal in alerting institutions to potential threats.
Accellion advises its customers to transition to a newer file transfer platform, Kiteworks, to enhance security measures. Universities affected by this breach are actively working to determine the scope of data compromised and to notify those whose personal information may have been accessed.
