Worldwide Accellion Data Breach Impacted Transport for NSW
The agency has been extorted by ransomware gang following the attack.
Following the cyberattack on Accellion’s FTA file transfer service, Transport for NSW, which is the main transport and roads agency in New South Wales, Australia, and the state’s ministry of health, is the latest government entity to be entrapped in the attack.
NSW did not indicate whether customer data had been affected but said that the breach was “limited to Accellion servers”, and that no other Transport for NSW systems had been affected.
The company issued an official statement, pointing out that some information was stolen before the Accellion attack was interrupted and that an investigation is ongoing, with the help of forensic specialists.
Cyber Security NSW is managing the NSW Government investigation with the help of forensic specialists. We are working closely with Cyber Security NSW to understand the impact of the breach, including customer data.
In December 2020, Accellion started notifying customers affected by the attack and has since patched all known FTA vulnerabilities exploited by the hackers.
NSW is working closely with Cyber Security NSW to understand the aftermath of the security breach. The company said it will ensure that any notification process for those affected will be secure and clearly communicated in due time.
Following the incident, the NSW Government has retired all instances of Accellion FTA as part of the centralized response to protect customer and government data.
Wishing They Were Better Strangers
Unfortunately, data breach notifications are well-acquainted with the NSW government. In April 2020, a cyberattack that compromised the information of no less than 186,000 customers targeted Service NSW, the state government’s one-stop-shop for service delivery. After an investigation that lasted four months, Service NSW said it discovered that 738GB of data (over 3.8 million documents), was stolen from 47 staff email accounts.
Among the companies that had their data leaked due to a zero-day software flaw so far are Fugro, Danaher, Singapore’s largest telco, Singtel, Law firm Jones Day, and the Reserve Bank of New Zealand. The latter was also affected by the same incident which had compromised information such as personal email addresses, dates of birth, or credit information. They are working directly with stakeholders to determine how many people were affected and will make sure they are well assisted.
In light of these numerous incidents, Accellion announced plans to retire FTA effective April 30, according to a company notice. Although these measures should have been done sooner, it’s understandable, given that Accellion likely didn’t want to overly aggravate its customers, particularly given the plethora of secure file-sharing alternatives. However, if an organization continues to use FTA, it should at the very least mitigate risk with a layered approach by patching and implementing additional log and access review.