Energy giant Shell (Royal Dutch Shell) became victim of a third-party data breach incident involving Accellion’s File Transfer Appliance (FTA) product. Shell uses the Accellion product to transfer large data files. Accellion claims the product is made for purposeful secure file transfers.
The attackers gained access to various files containing personal and company data from both Shell and some of its stakeholders. According to Shell, several of its global petrochemical and energy company affiliates were affected but their core IT systems were isolated from the incident.
Accellion revealed that it became aware of a zero-day security vulnerability in its FTA product in mid-December. The 20-year-old legacy product used by large corporations around the world would be deprecated in April of this year.
The appliances utilized CentosOS 6, a Linux-based operating system that saw long-term support end in November of 2020. Accellion had been urging all its customers to transition from FTA to its more modern Kiteworks platform. At the time of the attack, there were around 50 companies still using FTA.
Other victims of this third-party attack include aviation specialist Bombardier, Singaporean telco Singtel, and law firm Jones Day. Cyber security firm Qualys was also affected. While Qualys had a system go down because of this, no actual important data was leaked.
The Accellion attacks on Shell once again highlight the importance of choosing technology partners carefully when relying on them for critical digital processes that are exposed to potential exploitation.
How could this have been prevented?
There are multiple approaches that can be followed. If we take the example of Qualys, they moved their less trustworthy vendor into a DMZ where it could do no harm. This all starts with active monitoring and evaluation of the third party, including having an exit plan for when things get really bad. Riskly offers comprehensive third-party risk management software and consultancy services to help you manage your third parties to help you prevent and prepare for these kinds of breaches.