Third Party Risk Management Lessons Learned from Recent Accellion Breach
Some things get better with time, such as red wine, whisky, cast iron skillets, and your favorite pair of jeans. Other things, such as computer software and hardware, do not. In today’s fast-paced economy, companies of all sizes rely on software programs and hardware systems provided by a myriad number of third parties to power everything from applicant screening to payment processing systems. The global pandemic has also driven a rapid digital transformation across all industries to meet the needs of ever-changing customer bases and the increasing reliance on online services and remote workforces. Many companies have added new software, cloud hosting services, and other products or services provided by third parties to become more flexible and responsive to this rapidly changing market. This transformation, which has happened at warp speed, has helped companies reimagine their supply chains, roll out new e-commerce channels, and leverage AI and predictive analytics to propel smarter and more agile business operations for the future.
As many companies and their employees adapted to the new work from home environment this past year, one of the original work from home groups, black hat hackers, was busier than ever. The global pandemic ushered in another pandemic, a cyber pandemic. There have been daily reports of ransomware attacks and other cybersecurity incidents in the news, including the massive cyberattack at SolarWinds, Inc. that resulted in the infiltration of thousands of government and private networks. The FBI’s Internet Crime Complaint Center (IC3) recently released its annual report, the 2020 Internet Crime Report. Their data is eye-opening. The IC3 received 791,790 complaints of suspected internet crime in 2020, an increase of more than 300,000 complaints from 2019, with reported losses exceeding $4.2 billion.
The times may be changing at a rapid pace, but one thing remains constant. Third party risk management (TPRM) remains important even in a global pandemic because these parties present ongoing risks to your company. As a reminder, TPRM is the process of identifying, assessing, and controlling risks presented throughout the life cycle of a company’s relationships with any of its third parties, whether classified as vendors or suppliers.
The average life span of an off-the-shelf software program is six to eight years. Complex software programs will often last for twice that time. The typical lifespan of an average server is about three to five years, depending on how the server is used. Despite the shiny lure of new technology, most companies have limited resources. Many companies need to rely on some older software programs and legacy network equipment provided by third parties. The recent data breaches at Accellion, Inc. (Accellion), a privately held company based in Palo Alto, California, are a good reminder that companies need to focus on the “life cycle” component of their TPRM process. A good TPRM program should be able to identify, assess, and control for the unique risks of relying on older programs, systems, and hardware provided by third parties.
What Happened at Acellion?
When companies need to move copies of files from one computer to another over the internet, they may use one of the oldest network protocols still in use, the File Transfer Protocol (FTP) program. Although free software versions exist on the web and inexpensive software and FTP appliances are available from a number of third party providers, large organizations may need the higher capacity and security provided by third party providers, such as Accellion.
Accellion has, for a number of years, provided a File Transfer Appliance (FTA) product, which is essentially a dedicated computer used to move large and sensitive files within a network that may exceed typical email attachment size limits, to its customers. As files are entered into the FTA product, a URL is created for each document. Recipients can then use these links to download the relevant files hosted on the FTA product. Accellion advertised on its site that it “empower[ed] enterprise organizations to simply and securely exchange sensitive information with customers, partners, and vendors. Whether accessing information from Office 365, core enterprise systems, or mobile devices, Accellion users share files with complete visibility, governance, security and adherence to regulations and standards.”
In December 2020 and January 2021, hackers found an inroad into Accellion’s FTA product. Accellion hired a cybersecurity forensics firm to investigate this two-stage incident. The report from the forensics firm noted as follows:
The Exploited Vulnerabilities were of critical severity because they were subject to exploitation via unauthenticated remote code execution. … Accellion issued a patch addressing the vulnerabilities associated with the December Exploit on December 20, 2020 (four days after it started investigating anomalous activity associated with the exploit), and a patch addressing the vulnerabilities associated with the January Exploit on January 25, 2021 (three days after it started investigating anomalous activity associated with the exploit, having advised all FTA customers to shut down their FTA instances in the interim).
Although Accellion released patches in late December and January, a number of companies, law firms, and governmental entities have reported data breaches tied to these incidents. Accellion has over 3,000 customers, but the company has indicated that only approximately 300 of its customers remained on its FTA product and may have been impacted in these incidents. The forensics firm attributed the attack activity to two threat groups, one believed to be responsible for compromising the system and another believed to be responsible for engaging in extortion activity with some of the compromised customers.
Once the hacker was able to exploit the vulnerabilities in the software and navigate the FTA’s internal database, the hacker gained access to all of the files that were being transferred by Accellion’s customers using the FTA product. In most cases, a hacker must spend some time searching to find a company’s sensitive files. In this case, the hacker’s job was made much easier because companies, as advertised above, used Accellion’s FTA product to send files containing sensitive information.
Jones Day, an Accellion customer and ranked by AmLaw as the tenth-largest provider of legal services in the United States with annual gross revenue of over $2 billion, has reported that hackers stole confidential client data after breaching the FTA platform. The firm’s clients include half of the Fortune 500 companies, such as Google, JPMorgan Chase, Wal-Mart, Procter and Gamble, and McDonalds. The firm also represented the Donald Trump campaign. Files allegedly from Jones Day were posted on a secure website linked to the hackers. The posted documents included confidential emails and other communications between the law firm, other counsel, and a judge.
The Office of the Washington State Auditor has also reported that personal information included in 1.6 million unemployment claims filed by individuals who received unemployment benefits through the Washington Employment Security Department, another Accellion customer, between 2017 and 2020 were compromised in the breach. The compromised files included recipient’s names, dates of birth, home addresses, Social Security numbers, and banking information.
The Accellion breach has resulted in a flurry of litigation. Complaints have been filed against Accellion by their own customers and against companies impacted in the breach by their own customers.
Unemployment benefits recipients in Washington State and California have filed separate class action lawsuits against Accellion. Data from the University of Colorado, another user of Accellion’s FTA product, was also impacted in the breach and a resident of that state has filed a class action complaint against the company. Kroger, the grocery store chain and an Accellion user, was hit with a data breach class action lawsuit brought on behalf of Kroger employees and customers who allege that their personal information was compromised in the breach. Centene Corporation and Health Net, LLC, customers of Accellion, filed a complaint to recover their “significant costs and expenses associated with, among other things: remediation; mitigation; notifying members whose data was exposed; providing credit monitoring for members whose data was exposed; reporting the Accellion Data Breach to regulators; and attorneys' fees.”
This is not an exhaustive summary of the cases filed to date and tied to the incidents at Accellion. Other complaints against Accellion have also been filed and will likely continue to be filed. As of March 22, 2021, other reported Accellion customers impacted in the data breach incidents include the following:
- Harvard Business School
- Qualys, Inc.
- Reserve Bank of New Zealand
- Australian Securities and Investments Commission
- Transport for New South Wales
- NSW Health
- QIMR Berghofer
- Royal Dutch Shell
- Goodwin Proctor
- Flagstar Bank
- Trillium Community Health Plan
- Southern Illinois University School of Medicine
- CSX Corporation
This list is also likely to grow as more companies continue to investigate their use of the FTA product and begin notifying their customers, regulators, and others of any related data compromise.
What are Some TPRM Best Practices Take-Aways?
Some companies may not have included software and hardware providers in their overall TPRM program. Other companies have, but they may not have fully accounted for all of the risks that may arise with the use of these products and services over time.
Accellion’s FTA product had been in use for more than twenty years. Accellion had discontinued support of the FTA operating system, Centos 6, on November 30, 2020 and had already planned to end support of the FTA product on April 30, 2021. On February 25, 2021, the company publicly announced that the end-of-life date for the FTA product would be April 30, 2021. The company has said that it had been working to transition customers away from its FTA product and onto its new platform, Kiteworks, over the past three years. If so, it is unclear why over 300 customers were still using the legacy FTA product as late as January 2021.
The attack on Accellion and its FTA software highlights the importance of examining third-party software and hardware at some regular frequency to ensure that it continues to meet current security standards. The incidents also highlight the importance of data storage issues and records retention requirements as integral parts of your company’s overall data governance program. Companies need to understand where data is stored so they can manage the risks associated with such storage. Some of the impacted companies may discover that they could have minimized their risks by moving their files off the FTA platform once they had been downloaded by the recipient.
As products and systems age, internal training on these products and systems tends to taper off. Some new end users of the FTA product may not have been as familiar with all of the product’s features. End users could, depending on their company’s policy, opt to be notified of delivery of the attachments and encrypt all files, but these users may not have always known about or activated these product features.
Since it can often take years for companies to transition from dated software and legacy network equipment, a good TPRM program should incorporate the risks that may arise from reliance on such older systems, particularly any such systems used to process, store, or transfer personal or sensitive data. There are a growing number of methodologies, databases, and tools that can help companies forecast and manage technological (as in this case), functional, and logistical obsolescence of software and hardware. A good TPRM program should also flag when third parties begin to transition users to newer programs, systems, and hardware. If a company elects to be a late adopter, the risks of this approach should be identified and appropriate controls should be put in place to minimize the risks as these programs, systems, and hardware reach their end-of-support or end-of-life dates.
Your company’s third-party providers are part of a complex and diverse supply chain. As with any chain, the weakest link may break. The song, “As Time Goes By,” was written by Herman Hupfeld in 1931. Although various artists have recorded this song, the best-known version was performed by Dooley Wilson and featured in the 1942 movie, Casablanca. The song lyrics are familiar:
You must remember this … The fundamental things apply, As time goes by … On that you can rely, No matter what the future brings, As time goes by, Moonlight and love songs, Never out of date … That no one can deny.
Unfortunately, software programs and hardware systems are not the same as moonlight and love songs. These programs and systems will go out of date as time goes by and as in the Accellion breach, their cyber-risk vulnerabilities may exponentially increase as these programs and systems age. Most companies conduct extensive due diligence on new vendors during the selection and onboarding process, but risks remain after onboarding these vendors. Robust TPRM programs should capture these risks early in the process and appropriately respond to these risks as time goes by.