This, on top of other recent supply chain hacks, led me to think about the importance of communication when these breaches happen: What good looks like. And what it doesn\u2019t. With the Accellion breach(es), I found that not all disclosures were public or full or timely, and some weren\u2019t any of those things. Let\u2019s take a look why that\u2019s a bigger problem than this one supply chain attack.<\/p>\n\n\n\n
The Accellion Disclosures<\/h2>\n\n\n\n
I\u2019ll be frank. On the whole, I found that Accellion\u2019s disclosures left a lot of room for improvement. Hopefully, showcasing this will provide all of us in the security business with an opportunity to learn, grow, and be better next time. Now, let me walk you through the timeline of their communications.<\/p>\n\n\n\n
Jan 12: \u201cLess than 50 customers affected\u201d<\/h5>\n\n\n\n
On January 12th Accellion disclosed<\/a>: \u201cIn mid-December, Accellion was made aware of a P0 vulnerability in its legacy File Transfer Appliance (FTA) software. Accellion FTA is a 20-year-old product that specializes in large file transfers. Accellion resolved the vulnerability and released a patch within 72 hours to the less than 50 customers affected.\u201d Keep that \u201cless than 50 customers affected\u201d in mind as we find out how many customers were actually affected and why telephone is an awful game in cybersecurity unless it is to highlight how small misconceptions can make huge differences!<\/p>\n\n\n\n Another possible area of vagueness and ambiguity in that disclosure could be the use of \u201cP0 vulnerability.\u201d What exactly is a P0 vulnerability? If you Google that you won\u2019t get a direct hit (I tried). But if you dig a little deeper into Google<\/a> you\u2019ll find P0 is for \u201can issue that needs to be addressed immediately and with as many resources as is required. Such an issue causes a full outage or makes a critical function of the product to be unavailable for everyone, without any known workaround.\u201d Which is confusing because far from creating a full outage, the vulnerabilities exploited here led to a lot<\/strong> of really sensitive data being dumped.<\/p>\n\n\n\n Figure 1. Screen Capture from the Glossary for Google Issue Tracker.<\/p>\n\n\n\n The reality of the situation now, several weeks after the initial disclosure by Accellion, is that worldwide, multiple malicious actors have attacked multiple international government entities; federal, state, and local government organizations; as well as private industry organizations in the information technologies, healthcare, education, legal, retail, transportation, telecommunications, finance, and energy sectors (among others). In most cases attackers have been looking to extort money from these organizations to prevent the posting of personally identifiable information of the victim\u2019s customers. So\u2026 in this game of telephone, the \u201cless than 50 customers affected\u201d blooms substantially when you start looking at the supply chain of disclosures which is what this article intends to do.<\/p>\n\n\n\n On February 22nd Accellion finally admitted<\/a> that out of approximately 300 FTA clients about 100 were victims of the attack and fewer than 25 appeared to have suffered major data thefts. Which made me wonder: who all got hit? And how bad was it for their customers and their customers\u2019 data? It also got me thinking about how these supply chain breaches work at an operational level. How do you re-establish trust? How do you get ahead of these things and communicate with your customers and their customers? Because despite the business world\u2019s increasing digital transformation and IT sophistication, supply chain attack response looks a lot like that old-fashioned game of telephone.<\/p>\n\n\n\n Now that we\u2019ve evaluated the first links in the chain, let\u2019s evaluate the list of fewer than 25 customers who were hosting sensitive data on Accellion FTA. Again, the goal here is to provide us all with a learning experience to hopefully improve disclosures in the future. In this case, I have split the customers into two categories, those who publicly<\/strong> disclosed, and those who did not. Of those that did not, they no doubt reached out to their individual affected customers, or had none that were affected. With the ones that made a public disclosure it\u2019s easy enough to read them and assess the degree to which they tell you what happened, when, and what impact it may have on their customers. Also, like an apology, I think it\u2019s critical that public disclosures also make amends. How is the company going to regain public trust?<\/p>\n\n\n\n Figure 2. Screen capture of ABS Groups site with search for Accellion<\/p>\n\n\n\n Centene<\/a>, a U.S. managed care provider ranked No. 42 in U.S. corporations by total revenue, has provided no public disclosure as of March 18th but is suing Accellion<\/a> over the vulnerabilities and hack. It should be noted that HIPAA Breach Notification Rule, 45 CFR \u00a7\u00a7 164.400-414<\/a>, requires HIPAA-covered entities and their business associates to provide notification following a breach of unsecured protected health information. This rule applies to individual notification but also requires media notification within 90 days if the breach involves more than 500 citizens. As of the date of my research, we are still within 90 days.<\/p>\n\n\n\n Figure 3. Screen capture from the Harvard site showing Accellion FTA<\/a><\/p>\n\n\n\n 4. Jones Day<\/a>, the fifth largest law firm in the U.S., the 13th highest grossing law firm in the world, and outside counsel for Donald Trump’s 2016 and 2020 campaigns, was apparently a victim of the attack but did not publicly disclose what or if they were affected. The truly interesting thing here is that the company was no longer listed on CLOP\u2019s site<\/a> for data drops which may mean they paid the ransom?<\/p>\n\n\n\n With that, you can see for yourself a broad set of diverse responses to the Accellion breach(es). There are some good communications in the list above that we can all learn from. But with respect to Accellion, I find this a case study in what not to do with disclosure communications. Because detailing what \u201cbad\u201d looks like is only one, rather negative, part of the story and the really important, interesting piece is what you should do,<\/em> I intend to publish a follow-up blog in the coming weeks with my take on how to achieve good disclosure communication.<\/p>\n","protected":false},"excerpt":{"rendered":" With the Accellion breach not all disclosures were public or full or timely. Learn why this is a bigger problem than this one supply chain attack.<\/p>\n","protected":false},"author":15,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[106,6,105,49],"class_list":["post-324","post","type-post","status-publish","format-standard","hentry","category-research","tag-accellion","tag-attack-surface-management","tag-cloud-security","tag-vulnerability-management"],"yoast_head":"\n![\"Content](\"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/image-41.png\")
<\/figure>\n\n\n\nFeb 22: \u201cfewer than 100 were victims of the attack\u201d <\/h5>\n\n\n\n
Who\u2019s Who of Responders<\/h2>\n\n\n\n
Public Disclosures:<\/h5>\n\n\n\n
\n
Non-Disclosure Approach<\/h5>\n\n\n\n
\n
![\"Content](\"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/image-39.png\")
<\/figure>\n\n\n\n\n
![\"Content](\"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/image-40.png\")
<\/figure>\n\n\n\n