By Associated Press
Accellion now tells a different story. It says it alerted all 320 potentially affected customers with multiple emails beginning on Dec. 22 — and followed up with emails and phone calls. Company spokesman Rob Dougherty would not directly address the New Zealand central bank’s and Washington state auditor’s complaints. Accellion says fewer than 25 customers appear to have suffered significant data theft.
A timeline released March 1 by the cybersecurity firm Mandiant, which Accellion hired to examine the incident, says the company got first word of the breach on Dec. 16. The Washington state auditor says its hack occurred on Christmas.
The notification timing issue is serious. Washington state has already been hit by a lawsuit, and several have been filed against Accellion seeking class action. Other organizations could also face legal or other consequences.
Last month, Harvard Business School officials emailed affected students to tell them that some Social Security numbers had been compromised as well as other personal information. Another victim, the Singapore-based telecommunications company Singtel, said personal data on about 129,000 customers was compromised.
Too often, software companies with hundreds of programmers have just one or two security people, said Katie Moussouris, CEO of Luta Security.
“We wish we could say that organizations were uniformly investing in security. But we’re actually seeing them just dealing with the breaches and then vowing to do better in the future. And that’s been sort of the business model.”
Dougherty, the Accellion spokesman, said the attacks “had nothing to do with staffing,” but he would not say how many people directly assigned to security the company employed in mid-December.
Cybersecurity threat analysts hope the snowballing of supply-chain hacks stuns the software industry into prioritizing security. Otherwise, vendors risk the fate that has befallen SolarWinds.
In a filing this past week with the Securities and Exchange Commission, the company offered a bleak outlook.
It said that as supply-chain hacks “continue to evolve at a rapid pace” it “may be unable to identify current attacks, anticipate future attacks or implement adequate security measures.”
The ultimate, painful upshot, the document added:
“Customers have and may in the future defer purchasing or choose to cancel or not renewal their agreements or subscriptions with us.”