Investor Alert

Associated Press Archives | Email alerts

March 7, 2021, 4:53 p.m. EST

Lower-profile Accellion hack hit dozens of high-profile targets, including Kroger, CSX, Harvard

Watchlist Relevance

Want to see how this story relates to your watchlist?

Just add items to create a watchlist now:

  • X
    CSX Corp. (CSX)
  • X
    Kroger Co. (KR)
  • X
    Microsoft Corp. (MSFT)

or Cancel Already have a watchlist? Log In

By Associated Press

1 2

Accellion now tells a different story. It says it alerted all 320 potentially affected customers with multiple emails beginning on Dec. 22 — and followed up with emails and phone calls. Company spokesman Rob Dougherty would not directly address the New Zealand central bank’s and Washington state auditor’s complaints. Accellion says fewer than 25 customers appear to have suffered significant data theft.

A timeline  released March 1 by the cybersecurity firm Mandiant, which Accellion hired to examine the incident, says the company got first word of the breach on Dec. 16. The Washington state auditor says its hack occurred on Christmas.

The notification timing issue is serious. Washington state has already been hit by a lawsuit, and several have been filed against Accellion seeking class action. Other organizations could also face legal or other consequences.

Last month, Harvard Business School officials emailed affected students to tell them that some Social Security numbers had been compromised as well as other personal information. Another victim, the Singapore-based telecommunications company Singtel, said personal data on about 129,000 customers was compromised.

Too often, software companies with hundreds of programmers have just one or two security people, said Katie Moussouris, CEO of Luta Security.

“We wish we could say that organizations were uniformly investing in security. But we’re actually seeing them just dealing with the breaches and then vowing to do better in the future. And that’s been sort of the business model.”

Dougherty, the Accellion spokesman, said the attacks “had nothing to do with staffing,” but he would not say how many people directly assigned to security the company employed in mid-December.

Cybersecurity threat analysts hope the snowballing of supply-chain hacks stuns the software industry into prioritizing security. Otherwise, vendors risk the fate that has befallen SolarWinds.

In a filing this past week with the Securities and Exchange Commission, the company offered a bleak outlook.

It said that as supply-chain hacks “continue to evolve at a rapid pace” it “may be unable to identify current attacks, anticipate future attacks or implement adequate security measures.”

The ultimate, painful upshot, the document added:

“Customers have and may in the future defer purchasing or choose to cancel or not renewal their agreements or subscriptions with us.”

1 2
This Story has 0 Comments
Be the first to comment
More News In

Story Conversation

Commenting FAQs »

Partner Center

Link to MarketWatch's Slice.