The story of the Accellion hack attack has taken another twist after cybercriminals leaked data to reporters as part of a blackmail attempt against Flagstar Bank.
Accellion is a file-sharing software provider that fell victim to two breaches around the start of the year after bad actors exploited weaknesses in its solutions, which have since been patched.
While the hacks have been eclipsed in the media by the humongous SolarWinds and Microsoft Exchange Server attacks, the Accellion incidents have been linked to dozens of influential organisations. The list of victims compromised by the digital assaults include Singtel, the Reserve Bank of New Zealand, Harvard Business School and the Trump administration’s one-time law firm Jones Day.
On Monday, Flagstar Bank officially joined the group of victims by publishing a statement, saying:
“Accellion, a vendor that Flagstar uses for its file sharing platform, informed Flagstar on January 22, 2021, that the platform had a vulnerability that was exploited by an unauthorised party. After Accellion informed us of the incident, Flagstar permanently discontinued use of this file sharing platform. Unfortunately, we have learned that the unauthorised party was able to access some of Flagstar’s information on the Accellion platform and that we are one of numerous Accellion clients who were impacted.”
The Michigan-based bank added that it was working “expeditiously with our internal and external teams to determine what data may have been accessed, and will notify any impacted customers directly after we complete a thorough, diligent review of the data.”
It was only after the statement went out that reporters started to receive emails from people claiming to be members of the ransomware group called Cl0p.
These emails said the bad actors had published data on the dark web and emailed it to journos, Vice reported after receiving one of the emails. The hackers claimed to have leaked the data in order to force the lender to reconsier its decision not to pay the hackers.
The data shared to reporters included the names, social security numbers and home addresses of 18 alleged employees at Flagstar Bank as well as documents listing more personal information.
A source familiar with Flagstar told Vice that the bank had negotiated with the hackers to buy time to finish the investigation and to identify impacted clients.
The individual told Vice that the data breach includes information about bank customers and employees.