Royal Dutch Shell, the petrochemical giant (and one of the biggest companies in the world), is the latest in a series of high-profile victims who have suffered a data breach in connection with the troubled cloud provider Accellion.
Shell announced last week that there had been a “data security incident” involving the use of Accellion’s Secure File Transfer Application (FTA), a product it uses to “securely transfer large data files.”
Despite the name, FTA is ironically anything but Safe: In December, the product was revealed to have multiple zero-day vulnerabilities, such as those being attacked by a group of hackers stealing data. Since then, dozens of organizations have admitted to being victimized by the piracy campaign“A list that Shell sadly joins now.”
In what has become a predictable routine, the energy giant said last week that an “unauthorized party” used the FTA vulnerabilities to gain “access to various files for a limited period of time.” Those files included “personal data” and “data of Shell companies and some of their interested parties.” The oil company’s networks were not affected by the incident, the company said..
“Upon learning of the incident, Shell addressed the vulnerabilities with its service provider and cybersecurity team, and began an investigation to better understand the nature and scope of the incident. There is no evidence of any impact on Shell’s core IT systems as the file transfer service is isolated from the rest of Shell’s digital infrastructure, ”the company wrote in a statement..
The vagueness of this alert is such that it could virtually mean anything. It is not clear how much data was stolen, of what kind it was, or how many people might be affected by it. This could be really bad for Shell … or it could be that the hackers didn’t really get anything that exciting. Who can say!
However, if the hacks above give any indication, Shell might be having a hard time. The extent to which large and prominent organizations have been affected by the Accellion debacle has at times been surprising (see: Kroger, the largest supermarket chain in the U.S., or Jones day, a global law firm that He recently represented former President Trump amid his unfounded efforts to reverse the 2020 presidential election).
More recently, the list has exploded to include Canadian aerospace manufacturer Bombardier (whose spy plane plans were leaked all over the Internet by hackers); global cloud security provider Qualys; to major transportation agency in Australia; and Flagstar Bank, a large banking corporation, which recently announced that some of his clients’ social security numbers had been stolen in the attack.
Either this list will continue to grow is anyone’s guess. However, the fact that Accellion was releasing patches till March it definitely means that more breach disclosures may be in the works.