Connect with us

Hi, what are you looking for?


Application Security

Report: Accellion Failed to Notify Customers of FTA Zero-Day

Accellion failed to notify customers of a zero-day vulnerability in its file transfer application (FTA) and related cyber-attacks targeting the security flaw, according to a new report from professional services firm  KPMG.

Accellion failed to notify customers of a zero-day vulnerability in its file transfer application (FTA) and related cyber-attacks targeting the security flaw, according to a new report from professional services firm  KPMG.

FTA is a large file transfer service that was retired at the end of April 2021, after being in use for roughly 20 years. In mid-December, Accellion identified a critical vulnerability in the service and later discovered in-the-wild hacking attempts targeting the flaw.

At the time of attack, FTA still had roughly 50 customers, and some already confirmed impact from the incident, including The Reserve Bank of New Zealand, the U.S.-based law firm Jones Day, the Office of the Washington State Auditor (SAO), and security and compliance solutions provider Qualys.

While Accellion did issue patches for the targeted security bugs, a problem with its email system prevented it from notifying impacted customers of the attacks in a timely manner, explains KPMG, which was engaged by the Reserve Bank of New Zealand – Te Pūtea Matua – to review the bank’s response to the breach.

[ SEE: Shell Says Personal, Corporate Data Stolen in Accellion Incident ]

The bank was alerted to the vulnerability on January 6 only and applied the available patches the day after. However, the bank also received system-generated alerts of potential anomalous behavior.

“We have not sighted evidence that the vendor informed the Bank that the System vulnerability was being actively exploited at other customers. This information, if provided in a timely manner is highly likely to have significantly influenced key decisions that were being made by the Bank at the time,” KPMG said in the report.

Advertisement. Scroll to continue reading.

One other issue that the investigation revealed was the fact that the bank used the service for more than just secure file transfers, as intended, but instead relied on it as an information repository and collaboration too, which increased the volume of information at risk.

“We were over-reliant on Accellion – the supplier of the file transfer application (FTA) – to alert us to any vulnerabilities in their system. In this instance, their notifications to us did not leave their system and hence did not reach the Reserve Bank in advance of the breach. We received no advance warning,” the bank’s Governor Adrian Orr said.

Orr also said that the bank takes full responsibility for the identified shortfalls. The total cost of the breach is estimated at around $3.5 million.

The attacks on FTA were linked to the FIN11 cybercrime group. The attackers published some of the stolen information on the Tor website associated with the Clop ransomware gang.

Related: City of Chicago Hit by Data Breach at Law Firm Jones Day

Related: Shell Says Personal, Corporate Data Stolen in Accellion Incident

Related: Cybercriminals Publish Data Stolen From Shell, Universities

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...