The hack of software provider Accellion USA LLC has renewed security experts’ fears of attacks on suppliers and highlighted the difficulty of defending against them in real time.
A growing list of affected customers have shared timelines of the attack and claims of inadequate software patches that at times contradict the vendor’s account of events. The disclosure this week that victims include Jones Day—a law firm that handles sensitive information for clients—underscores how individuals who don’t interact with Accellion directly nonetheless might be exposed, security experts say.
These moving parts can complicate the response for all victims and start a blame game that could end up in court to determine liability, said Anthony J. Ferrante, global head of cybersecurity at
FTI Consulting
.
“The finger-pointing is just beginning,” said Mr. Ferrante, who has served as an expert witness in such lawsuits between companies.
Palo Alto, Calif.-based Accellion said in a Jan. 12 blog post that it learned in mid-December of a vulnerability in its File Transfer Appliance software, a 20-year-old tool to share large documents.
“Accellion resolved the vulnerability and released a patch within 72 hours to the less than 50 customers affected,” the company said.
In an update posted Feb. 1, Accellion said it notified “all FTA customers” of the vulnerability on Dec. 23.
“This initial incident was the beginning of a concerted cyberattack on the Accellion FTA product that continued into January 2021,” the company said.
Some customers affected by the hack have offered a different sequence of events.
The Washington State Auditor’s Office, which reported that personal data of more than 1 million applicants for unemployment benefits might have been accessed through the FTA tool, said in a Feb. 1 news release that it “first learned of the incident on Jan. 12.”
Accellion shared information “over the next few weeks” that helped the office conclude it was affected, Kathleen Cooper, a spokeswoman for the Washington State Auditor’s Office, said in a statement.
New Zealand’s central bank reported some of its files stolen in the attack. The Reserve Bank of New Zealand said on a website dedicated to the breach that Accellion released a software patch on Dec. 20 but didn’t immediately alert security teams to install it.
“Accellion failed to notify the bank for five days that an attack was occurring against its customers around the world, and that a patch was available that would have prevented this breach,” bank Governor
Adrian Orr
said in a Feb. 9 statement.
A bank spokesman declined to comment further given the continuing investigation.
The conglomerate
Singapore Telecommunications
Ltd.
, known as Singtel, reported that the incident lasted weeks and led to hackers taking data, including information from 129,000 individual customers and 23 enterprises such as suppliers and corporate clients.
On Wednesday, Singtel said it applied a series of patches to the Accellion software by Dec. 27. But on Jan. 23, the company said, “Accellion advised that a new vulnerability had emerged that rendered patches previously applied in December ineffective.” Singtel said it later confirmed a breach after a subsequent attempt to update the software triggered an “anomaly alert” in its system.
An Accellion spokesman said in a statement that it is working with outside investigators to assess the original hack and newly discovered vulnerabilities. The vendor has said it is also helping customers replace its FTA software by April 30, after which licenses won’t be renewed, and migrate to a newer product called Kiteworks.
Cyber experts say software providers’ pending retirement of old tools often suggests they might not be investing in updates.
Accellion said on Feb. 1 that it has encouraged customers for the past three years to switch to Kiteworks, adding that the newer tool has “state-of-the-art security architecture, and a segregated, secure development process.” Singtel said on its website for the breach that the vendor only announced FTA’s “end of life” date on Jan. 28.
The Accellion spokesman declined to comment on specific customers and didn’t respond to a request for comment on when it announced FTA’s official end date.
“We will share more information once this assessment is complete,” he said.
Security experts say the fallout provides another wake-up call to aggressively vet vendors as investigators continue probing the breach last year of at least nine federal agencies and 100 companies through Texas-based software provider
SolarWinds
Corp.
The attack on Accellion “feels like a mini-SolarWinds,” said
Sachin Bansal,
general counsel for SecurityScorecard Inc., a cyber firm that rates businesses’ security posture.
Management and security teams should coordinate on when to upgrade software to avoid disruptions and reduce risks, said
Scott Crawford,
research director of information security at 451 Research, part of S&P Global Market Intelligence.
“We’ve got so much reliance on third parties now that if we don’t start taking this seriously, we’re going to have big problems later,” Mr. Crawford said.
—Catherine Stupp contributed to this article.
Write to David Uberti at david.uberti@wsj.com