Singtel, QIMR Berghofer report Accellion-related data breaches

[mood]

Singtel, QIMR Berghofer report Accellion-related data breaches

 

 

Singtel and the QIMR Berghofer Medical Research Institute are the latest companies to disclose data breaches caused by a vulnerability in the Accellion FTA secure file transfer software.

 

Accellion is a developer of secure file transfer products that allow organizations to transfer sensitive files with people outside of their organization.

 

In mid-December, Accellion announced that they became aware of an actively exploited zero-day vulnerability in their FTA secure file transfer product that allowed threat actors to access customers' data.

 

While they released a patch on Christmas day as soon as they learned of the vulnerability, by the time some companies were able to patch, threat actors had already gained access to their data.

 

As Accellion FTA service is used by numerous government agencies, educational institutions, and companies, we have begun to see a wide-scale impact as companies report related data breaches.

 

Previous data breaches include the Reserve Bank of New Zealand, the Australian Securities and Investments Commission (ASIC), and the Office of the Washington State Auditor ("SAO").

The Singtel data breach

Singtel, the largest mobile carrier in Singapore, announced today that they suffered a data breach caused by the Accellion FTA service's vulnerability.

"A third-party file sharing system provided by Accellion called FTA has been illegally accessed through a zero-day vulnerability or previously unknown vulnerability. Singtel uses this system to share information internally as well as with external stakeholders and organisations," Singtel announced in a security incident notification.

 

The telecommunications company has not disclosed what data has been accessed in the attack and states that they are currently investigating who was impacted.

"Given the complexity of the investigations, it will take time to make an impact assessment. We are working with the utmost urgency to ascertain the nature and extent of data that has been potentially accessed. We will reach out to individuals and organisations whose information may have been illegally downloaded," Singtel continued.

 

While investigations are underway, Singtel states that they have taken the FTA system offline while they perform an investigation into the breach.

 

Once it is determined what the threat actors accessed, they will begin contacting affected people.

QIMR Berghofer affected as well

The QIMR Berghofer Medical Research Institute has also announced today a data breach caused by the Accellion FTA service and has provided more detailed information regarding what information was accessed.

 

According to the research institute, the data breach appears to have occurred on December 25, 2020, when threat actors accessed approximately 4 percent, or 620MB, of data stored on the Accellion FTA service.

 

QIMR Berghofer states that they received their first notification to install Accellion's patch on January 4th, 2021. It wasn't until February 2nd, 2021 that Accellion notified them that they had suffered a data breach.

"The first notification QIMR Berghofer received from Accellion was on 4 January 2021, when the company advised the Institute to apply a security patch. The Institute immediately took the software offline and applied the patch."

 

"Accellion notified QIMR Berghofer on Tuesday 2 February 2021 that it believed the Institute had been affected by the data breach, which has also affected a number of Accellion’s other Australian and international clients," QIMR Berghofer disclosed in a data breach notice on their website.

 

The research institute states that they utilize the FTA service to receive and send data regarding clinical trials for anti-malaria drugs, and to share data with the Mosquito and Arbovirus Research Committee. 

 

However, the shared data is anonymized before being stored on Accellion, and trial participants are assigned codes to identify them.

 

The "de-identified" information stored by them on Accellion includes initials, date of birth, age, gender, and ethnic group of clinical trial participants, as well as the participant codes. Some documents also have a de-identified medical history.

 

QIMR Berghofer also states that the resumes for approximately 30 employees on the Accellion FTA service.

 

The lack of identifying information in the data stored on the FTA device is a double-edged sword. 

 

While no personally identifying information has been disclosed, as each trial participant has been de-identified and assigned codes to refer to them, QIMR Berghofer has no way to contact them.

“We cannot contact these clinical trial participants because we don’t know who they are, and don’t have their names or contact details. However, if anyone has any concerns, or would like more information, they can contact us via the details below.

“We are contacting our clinical trial partners and other stakeholders to let them know what has happened and what we are doing to address this likely data breach," explains QIMR Berghofer.

 

 

Source: Singtel, QIMR Berghofer report Accellion-related data breaches

[mood]

Singtel breach compromises data of customers, former employees

Personal data of 129,000 customers, including birth dates and mobile numbers, as well as financial details of the Singapore telco's former staff and employees of a corporate customer have been leaked in a security breach involving a third-party file-sharing system.

 

Singtel has confirmed that personal details of 129,000 customers, as well as financial information of its former employees, have been compromised in a security breach that involved a third-party file-sharing system. Credit card details belonging to the staff of a corporate client and information tied to 23 enterprises, including suppliers and partners, also have been leaked in the incident. 

 

The announcement on Wednesday came just under a week after the Singapore telco revealed "files were taken" in an attack that affected a file-sharing system, called FTA, which was developed two decades ago by Accellion. Singtel said it had used the software internally and with external stakeholders. 

 

Following its investigations, the telco said compromised personal data belonging to 129,000 customers contained their identification number alongside some other data that included name, date of birth, mobile number, and physical address. 

 

Bank account details of 28 former Singtel staff and credit card details of 45 employees of a corporate client with Singtel mobile lines were also leaked. In addition, "some information" from 23 enterprises including suppliers, partners, and corporate clients were compromised. 

 

Singtel would not offer further details on what exactly this information was, citing security reasons. 

 

The telco did say that a large part of the leaked data compromised internal information that was non-sensitive, such as data logs, test data, reports, and email messages. 

 

It said it has begun notifying affected individuals and enterprises about the breach and was offering help to mitigate potential risks from the breach. This included provisions for a data service provider to provide identity monitoring services, at no additional cost to affected customers, which would be instructed on how to sign up for the service.

 

Singtel's group CEO Yuen Kuan Moon said: "While this data theft was committed by unknown parties, I'm very sorry this has happened to our customers and apologise unreservedly to everyone impacted. Data privacy is paramount. We have disappointed our stakeholders and not met the standards we have set for ourselves.

"Given the complexity and sensitivity of our investigations, we are being as transparent as possible and providing information that is accurate to the best of our knowledge," Yuen said, adding that its investigations were ongoing to ascertain the full extent of the breach. 

 

He noted that Singtel's core operations and functions were unaffected and it was conducting a "thorough review" of its systems and processes. 

TELCO INFORMED ONLY RECENTLY OF PRODUCT'S END-OF-LIFECYCLE DATE

ZDNet last week asked Singtel why it still was using FTA, a 20-year file-sharing product that Accellion said was nearing the end of its lifecycle, but the telco did not address the question. 

 

On an updated FAQ posted on its website, Singtel noted it has continued to use the software since it was "still a current product offered and supported by Accellion". The telco revealed that Accellion only announced the product's end of life on January 28 this year, effective from April 30. 

 

Accellion released a statement on February 1 that said its FTA system was a legacy large-file transfer software nearing the end of its lifecycle. 

 

Singtel said: "It was unfortunate the attack occurred while we were conducting a review to upgrade or replace the product. And despite promptly updating the vulnerability patches provided by Accellion, the patches failed."

 

The telco last week said Accellion's first fix was deployed on December 24, while a second patch was applied on December 27. Accellion on January 23 pushed out another advisory citing a new vulnerability, against which the December 27 patch proved ineffective, according to Singtel. It said after finding this out, it then took the FTA system offline. 

 

A subsequent patch was provided on January 30 to plug a new vulnerability, which the telco said triggered an anomaly alert when efforts were made to deploy it. It was notified by Accellion that its system could have been breached on January 20 and, following its investigations, Singtel confirmed on February 9 that data had been compromised. 

 

 

Source: Singtel breach compromises data of customers, former employees