April 7, 2021
Multiple higher education institutions have now confirmed they were victims of data theft related to a security flaw in file transfer software sold by IT security company Accellion, but the true scale of the data breach is still not fully understood.
Sensitive information from the University of California system, Yeshiva University, the University of Miami, the University of Colorado, Stanford University’s School of Medicine and the University of Maryland, Baltimore, was recently discovered on the dark web in connection to the Accellion cyberattack, which took place earlier this year.
All institutions have confirmed they are customers of Accellion and are actively investigating the incident.
Data files that include personal information such as Social Security numbers were stolen from the universities and made available to download via a website called Clop that is run by cybercriminals. A sample of documents reviewed by Inside Higher Ed included academic transcripts, medical records, research grants and employment contracts.
The Clop website is known to publish samples of stolen data and then demand a ransom not to publish the rest of the information.
So far, no institution has said it was affected by a ransomware attack, although institutions have reported differing experiences. The University of Maryland, Baltimore, received no ransom note, and no software was placed on its system, according to a spokesperson. The University of California system warned that threatening mass emails have circulated, however.
A vulnerability in Accellion’s file transfer software was first exploited by cybercriminals in December 2020 and then again in January 2021, a recent report commissioned by Accellion from cybersecurity forensics company FireEye found.
More than 3,000 organizations including companies, government agencies, hospitals and universities are customers of Accellion, which markets itself as a specialist in secure file sharing.