Tech
your username
February 19, 2021
Madalyn Brown sued cloud file-sharing company Accellion, Inc. after it reportedly experienced a breach that exposed information such as birthdates, addresses, and social security numbers of one of the Washington State Auditorâs Office (SAO) resident databases. Wednesdayâs class action complaint alleged that Accellion knew its file transfer appliance (FTA) was ânearing end-of-life,â but continued to employ it nonetheless, allowing hackers to exploit a vulnerability therein.
The complaint explained that Accellion is a Palo Alto, California-based software company that specializes in cloud-based file sharing. Accellion allegedly developed, marketed, and sold its FTA for file-sharing convenience and to circumvent limits imposed on the size of email attachments.
Recent government data breaches have prompted a new bill in the Legislature aimed at protecting people’s personal information.
House Bill 1455 states that if it is not required by federal or state law, the Employment Security Department (ESD) would need to stop disclosing full social security numbers in written communication with non-governmental third parties. This would have to begin by July 2023.
Non-governmental third parties “excludes subdivisions, agencies, and instrumentalities of government,” according to the bill’s documents.
“Hundreds of thousands of Washington consumers many of our constituents and those we serve, and even our families have had their Washington data breached,” said bill sponsor Rep. Gina Mosbrucker (R-Goldendale).
The Washington State Capitol Building in Olympia. (Pastajosh, CC BY-SA 4.0, via Wikimedia Commons)
Malicious actors last Dec. 25 stole millions of unemployment applicantsâ data from the Washington State Auditorâs Office (SAO) via a zero-day vulnerability in a 20-year-old file transfer service from Accellion, Inc. The incident and its aftermath serve as an example of the discord and miscommunications that can transpire between a third-party software provider and its users when something goes wrong.
The attack also demonstrates not only the critical importance of securing sensitive data on the move, but also the potential risks of using legacy applications that are nearing end of life.
GovInfoSecurity Twitter Get Permission
New Zealand s Reserve Bank is one victim of a breach involving Accellion s FTA product. (Source: Wikimedia Commons)
Several data breaches stemming from unpatched vulnerabilities in Accellion s File Transfer Appliance have been revealed. What went wrong? Where does the fault lie? And what can organizations do about it?
It’s not a straightforward story, and it points to problems around balancing use of an aging software product with risk, a reluctance to move onto a newer platform and internal patching hiccups.
It’s prudent for those still using Accellion s FTA to wean themselves off of it if possible.