Security Experts:

Connect with us

Hi, what are you looking for?



Shell Says Personal, Corporate Data Stolen in Accellion Security Incident

Oil and gas giant Royal Dutch Shell (Shell) is the latest company to have confirmed impact from the December 2020 cyber-attack on Accellion’s File Transfer Appliance (FTA) file sharing service.

Oil and gas giant Royal Dutch Shell (Shell) is the latest company to have confirmed impact from the December 2020 cyber-attack on Accellion’s File Transfer Appliance (FTA) file sharing service.

A legacy service designed to allow for the sharing of large files, Accellion’s FTA service fell victim to a cyber-attack in December 2020, when hackers exploited zero-day vulnerabilities to gain access to customer data.

The soon-to-be-retired service had roughly 300 customers at the time, with up to 25 of them suffering significant data compromise following the incident.

Some of those to have already confirmed impact include U.S.-based grocery and pharmacy chain Kroger, law firm Jones Day, information security and compliance solutions provider Qualys, Australian health and transport agencies, the Office of the Washington State Auditor (SAO), the Reserve Bank of New Zealand, and jet maker Bombardier.

In a data breach notification last week, Shell confirmed that it too was affected by the security incident.

Shell says that it worked with Accellion to immediately address the security holes, while also launching an investigation into the incident. To date, the investigation hasn’t revealed impact on Shell’s core IT systems – the FTA service is isolated from Shell’s infrastructure.

“The ongoing investigation has shown that an unauthorized party gained access to various files during a limited window of time. Some contained personal data and others included data from Shell companies and some of their stakeholders,” the company says.

Shell also notes that it is in contact with the individuals and stakeholders that have been affected, to address any possible risks associated with the data breach, but hasn’t disclosed the exact number of impacted entities. Regulators and authorities were also alerted on the matter.

“Cyber security and personal data privacy are important for Shell and we work continuously to improve our information risk management practices,” Shell also notes.

Related: Multiple Airlines Impacted by Data Breach at Aviation IT Firm SITA

Related: Antivirus Firm Emsisoft Discloses Data Breach

Related: Australian Corporate Regulator Discloses Breach Involving Accellion Software

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.