The list of higher education institutions that’ve had student and faculty data stolen and published online after the compromise of a file-transfer application made by the software company Accellion now includes Stanford University, following the appearance this week of school files on a leak site operated by the hacking group believed to be responsible for the ongoing breach.
Data — including names, addresses, financial information and Social Security numbers — belonging to people at the Palo Alto, California, university’s medical school appeared on a site run by a hacking group known as Clop, the Stanford Daily reported Thursday.
Stanford Medicine students and faculty used Accellion to share large files, often with research collaborators outside the university.
Similar leaks have trickled out since January, after Accellion — which is scheduled to retire its file-transfer application this month — acknowledged that malicious actors had exploited vulnerabilities in its programming last December. Over the past few months, organizations that used the application have seen some of their files stolen and published on Clop’s leak site, sometimes following ransom demands. Other universities that’ve been exposed include Harvard Business School, the University of Colorado, University of Miami, University of Maryland, Baltimore, Yeshiva University and the University of California campuses in Davis and Merced.
Corporate victims include the energy giant Shell, the Kroeger supermarket chain and the aircraft maker Bombardier. The Accellion breach also affected the State of Washington, where the personal data of as many as 1.6 million people was potentially exposed after files belonging to the state auditor were compromised.
Jack Cable, a Stanford student and cybersecurity researcher who has been an adviser to the Cybersecurity and Infrastructure Security Agency, said it is unlikely Stanford will be the last Accellion client to see its files stolen and posted online by cybercriminals.
“Based on the exploitations we’ve seen and that stuff is still coming out now months after the [initial] notices, I think we can probably expect to see more,” he told StateScoop.
The deeper issue though, he said, is that organizations like Stanford are still heavily reliant on outdated — and vulnerability-laden — software like Accellion.
“This is preventable,” he said. “I’m not placing the blame on the university or any particularly companies, but overall this is 20-year-old legacy software.”
Now that Stanford and other affected schools have suspended their use of Accellion, Cable suggested they switch to more widely deployed contemporary solutions for file-sharing.
“Something from Dropbox or Box is going is going to be more secure than legacy software,” he said. “You can’t just take a vendor’s word that their software’s secure. You have to be actively testing.”