Why On-Going Supply Chain Attacks Set Up an Awful Game of Telephone

You know that game we played as children where we stood in a line and whispered a phrase to the next kid in line, and then they whispered it to the next kid, and so on, and so on down the line? Every time we played, the phrase changed as it went along, and by the end only the kid who started the game knew what the original phrase really was.

I believe that the world's worst game of telephone is playing out now with the recent spike in supply chain attacks. 

You have undoubtedly heard plenty about the Accellion FTA-related breach(es) and how they affected Accellion customers, and even their customers’ customers. (You probably took a break from patching Microsoft Exchange or doing cleanup from the SolarWinds hack to look at Accellion-related disclosures and write-ups.) The reason I call it the worst game of telephone is because when I was researching Accellion I found that more than a month later there are still bits of information trickling out about who was affected and how. Like the game, the story seems to be changing as it progresses, and no one has the full details anymore. 

This, on top of other recent supply chain hacks, led me to think about the importance of communication when these breaches happen: What good looks like. And what it doesn’t. With the Accellion breach(es), I found that not all disclosures were public or full or timely, and some weren’t any of those things. Let’s take a look why that’s a bigger problem than this one supply chain attack.

The Accellion Disclosures

I’ll be frank. On the whole, I found that Accellion’s disclosures left a lot of room for improvement. Hopefully, showcasing this will provide all of us in the security business with an opportunity to learn, grow, and be better next time. Now, let me walk you through the timeline of their communications.

Jan 12: “Less than 50 customers affected”

On January 12th Accellion disclosed: “In mid-December, Accellion was made aware of a P0 vulnerability in its legacy File Transfer Appliance (FTA) software. Accellion FTA is a 20-year-old product that specializes in large file transfers. Accellion resolved the vulnerability and released a patch within 72 hours to the less than 50 customers affected.” Keep that “less than 50 customers affected” in mind as we find out how many customers were actually affected and why telephone is an awful game in cybersecurity unless it is to highlight how small misconceptions can make huge differences!

Another possible area of vagueness and ambiguity in that disclosure could be the use of “P0 vulnerability.” What exactly is a P0 vulnerability? If you Google that you won’t get a direct hit (I tried).  But if you dig a little deeper into Google you’ll find P0 is for “an issue that needs to be addressed immediately and with as many resources as is required. Such an issue causes a full outage or makes a critical function of the product to be unavailable for everyone, without any known workaround.” Which is confusing because far from creating a full outage, the vulnerabilities exploited here led to a lot of really sensitive data being dumped.

Figure 1. Screen Capture from the Glossary for Google Issue Tracker.

The reality of the situation now, several weeks after the initial disclosure by Accellion, is that worldwide, multiple malicious actors have attacked multiple international government entities; federal, state, and local government organizations; as well as private industry organizations in the information technologies, healthcare, education, legal, retail, transportation, telecommunications, finance, and energy sectors (among others). In most cases attackers have been looking to extort money from these organizations to prevent the posting of personally identifiable information of the victim’s customers. So… in this game of telephone, the “less than 50 customers affected” blooms substantially when you start looking at the supply chain of disclosures which is what this article intends to do.

Feb 22: “fewer than 100 were victims of the attack” 

On February 22nd Accellion finally admitted that out of approximately 300 FTA clients about 100 were victims of the attack and fewer than 25 appeared to have suffered major data thefts. Which made me wonder: who all got hit? And how bad was it for their customers and their customers’ data? It also got me thinking about how these supply chain breaches work at an operational level. How do you re-establish trust? How do you get ahead of these things and communicate with your customers and their customers? Because despite the business world’s increasing digital transformation and IT sophistication, supply chain attack response looks a lot like that old-fashioned game of telephone.

Who’s Who of Responders

Now that we’ve evaluated the first links in the chain, let’s evaluate the list of fewer than 25 customers who were hosting sensitive data on Accellion FTA. Again, the goal here is to provide us all with a learning experience to hopefully improve disclosures in the future. In this case, I have split the customers into two categories, those who publicly disclosed, and those who did not. Of those that did not, they no doubt reached out to their individual affected customers, or had none that were affected. With the ones that made a public disclosure it’s easy enough to read them and assess the degree to which they tell you what happened, when, and what impact it may have on their customers. Also, like an apology, I think it’s critical that public disclosures also make amends. How is the company going to regain public trust?

Public Disclosures:

1. Australian Securities and Investments Commission (ASIC) provided a complete breach disclosure with details about when and what was done. And currently they don’t have evidence that credit license application data was actually stolen so further actions aside from contacting ASIC with concerns via e-mail are not required.
2. Bombardier, a Canadian aviation company, reported on Feb. 23 that it recently suffered a "limited cybersecurity breach” where approximately 130 employees located in Costa Rica were impacted.
3. Flagstaff Bank, with assets of $31.0 billion, is the sixth largest bank mortgage originator and the second largest savings bank in the U.S. and maintains an “Accellion Incident Information Center” where their customers can get credit monitoring, fraud protection, and identity theft restoration.
4. Fugro - Dutch-based multinational marine geo-data specialist disclosed about the breach in early February but provided few details about their “CYBER SECURITY INCIDENT THIRD-PARTY SUPPLIER OF FUGRO”. In summary, they don’t believe any of their customers’ data was stolen and are being quiet about any of their intellectual property.
5. Kroger, the United States' largest supermarket by revenue and the second-largest general retailer behind Walmart, has a webpage dedicated to the “Accellion Incident” along with a useful FAQ on who was impacted, what they knew and when, how they handled this, and really every detail that is part of responsible breach disclosure. They should be commended. It should be noted that by industry estimates ⅓ of Americans shop at Kroger’s which is 209,128,094 adults and apparently 2% of those were affected by this breach or ~1.4M people’s data.
6. QIMR Berghofer Medical Research Institute, an Australian medical research institute, seems to be one of the few victims of this whose own data was compromised, like Fugro. In this case some of the documents in the Accellion FTA included de-identified information such as the initials, date of birth, age, gender, and ethnic group of clinical trial participants, as well as the participant codes. Some other documents include participants’ de-identified medical histories, along with their codes. In their breach disclosure they admit that the data stored on the FTA while requiring 15-year storage didn’t need to be accessible from the Internet. 
7. Reserve Bank of New Zealand in their website, “Our response to Data Breach,” updated on March 16th, 2021, has been very transparent about the extent of the breach, timelines, and actions taken.
8. Singapore Telecommunications (Singtel) provides a website updated on March 12th, 2021 with details “ABOUT ACCELLION FTA SECURITY INCIDENT.”  Some reporting holds that approximately 129,000 customers were affected by the breach.
9. Southern Illinois University School of Medicine maintains a disclosure statement “Notification of a Potential Data Security Incident” as of March 3rd and SIU determined that the documents taken contained personal information for certain individuals, including, their name, date of birth, Social Security number, driver’s license number, medical treatment information, and medical insurance information.
10. State of Washington also did a rapid response with a web page, “About the Accellion Data Breach,” affecting ~1.4M residents who filed for unemployment benefits with the state between January 1 to December 10, 2020. The disclosure includes details for getting free credit monitoring for fraud protection and a detailed timeline of the incident and the handling of it.
11. Transport for New South Wales disclosed on February 23rd and manages more than A$106 billion in property, plant and equipment assets for transportation in Australia’s state of New South Wales.
12. Trillium Community Health Plan on January 25th disclosed details about the breach and about actions it has taken and its customers can take. The compromised data included contact information, insurance ID numbers, dates of birth, and health information, such as medical conditions and treatments.
13. University of Colorado disclosed in late January that personally identifiable information from students, employees and others may have been compromised.
14. Qualys updated their blog on March 11th about the breach and stated that they believe they have a complete list of customers that had files on the Accellion FTA server at the time of the incident and that if you are a customer of theirs and haven’t heard from them, that you are not affected. At this point it’s not clear how many of their customers were affected.

Non-Disclosure Approach

1. The American Bureau of Shipping or ABS Group, a technical services company, received an email from the CLOP ransomware group requesting ransom and appear to be facing potential lawsuits but have provided no disclosure as of March 18. It is possible that no data was actually exfiltrated.

Figure 2. Screen capture of ABS Groups site with search for Accellion

Centene, a U.S. managed care provider ranked No. 42 in U.S. corporations by total revenue, has provided no public disclosure as of March 18th but is suing Accellion over the vulnerabilities and hack. It should be noted that HIPAA Breach Notification Rule, 45 CFR §§ 164.400-414, requires HIPAA-covered entities and their business associates to provide notification following a breach of unsecured protected health information. This rule applies to individual notification but also requires media notification within 90 days if the breach involves more than 500 citizens. As of the date of my research, we are still within 90 days.

1. CSX is one of largest rail operators in the U.S., with its network primarily concentrated on the East Coast. The company generated $2.8 billion in net profits on $10.6 billion in revenue in 2020. As of March 18th it has not publicly disclosed details about the breach.
2. Goodwin Law was notified in late January by Accellion as to the vulnerabilities in their FTA and while not making any public disclosure, Goodwin privately contacted their clients about the issue according to an internal memo. The memo said Goodwin has alerted any clients that could have potentially been affected, as well as reached out to all clients to let them know what happened.
3. Harvard Business School has made no public disclosure as of March 18th but still maintains an Accellion FTA based on Kiteworks, the latest secure OS from Accellion.  Again, it’s possible nothing was stolen.

Figure 3. Screen capture from the Harvard site showing Accellion FTA

4. Jones Day, the fifth largest law firm in the U.S., the 13th highest grossing law firm in the world, and outside counsel for Donald Trump's 2016 and 2020 campaigns, was apparently a victim of the attack but did not publicly disclose what or if they were affected. The truly interesting thing here is that the company was no longer listed on CLOP’s site for data drops which may mean they paid the ransom?

With that, you can see for yourself a broad set of diverse responses to the Accellion breach(es). There are some good communications in the list above that we can all learn from. But with respect to Accellion, I find this a case study in what not to do with disclosure communications. Because detailing what “bad” looks like is only one, rather negative, part of the story and the really important, interesting piece is what you should do, I intend to publish a follow-up blog in the coming weeks with my take on how to achieve good disclosure communication.