Ride the Lightning

Jones Day Suffers Data Breach, Another Victim of the Hack of Vendor Accellion

February 18, 2021

Bloomberg Law reported on February 16 that law firm Jones Day had suffered a data breach – yet another breach related to the hack of Accellion, which provides file transfer and other services for a number of law firms.

Jones Day is the second major law firm in two weeks to have private data exposed due to a breach at Accellion. Goodwin Procter said on February 2 that it had also suffered a breach.

“Jones Day has been informed that Accellion’s FTA file transfer platform, which is a platform that Jones Day—like many law firms, companies and organizations—used was recently compromised and information taken,” said spokesman David Petrou in a statement provided to Bloomberg Law. “Jones Day continues to investigate the breach and has been, and will continue to be, in discussion with affected clients and appropriate authorities.”

Jones Day is the tenth largest law firm in the country, with more than $2 billion in gross revenue, according to AmLaw 2020 rankings. The firm has been in the news frequently because of its close ties with the Trump administration. Jones Day’s clients also include Alphabet Inc.’s Google, JPMorgan Chase & Co., Walmart Inc., Procter & Gamble Co., and McDonald’s Corp.

Accellion said in a statement posted to its website February 1 that its File Transfer Appliance, a two-decades-old file transfer product nearing its end-of-life, “was the target of a sophisticated cyberattack.”

“Accellion is conducting a full assessment of the FTA data security incident with an industry-leading cybersecurity forensics firm,” spokesman Robert Dougherty told Bloomberg Law. “We will share more information once this assessment is complete. For their protection, we do not comment on specific customers.”

State officials in Washington said in January that more than 1 million state residents seeking unemployment benefits in recent years had their data exposed as part of the Accellion breach. Accellion is already facing a lawsuit on behalf of those residents.

“Accellion has a track record of severe, readily-exploitable vulnerabilities in the FTA product,” said Bob Dooling a security risk manager for health IT company Redox. He noted that Facebook reportedly stopped using the product in 2016 after a single researcher hacked the system, exploiting at least one vulnerability “very similar” to the source of the latest breach.

Accellion has said it provides services for a number of large law firms, including Cozen O’Connor, Seyfarth Shaw, Arent Fox, and Barnes & Thornburg.

In its February 1 press release, Accellion said, “Accellion FTA, a 20 year old product nearing end-of life, was the target of a sophisticated cyberattack. All FTA customers were promptly notified of the attack on December 23, 2020. At this time, Accellion has patched all known FTA vulnerabilities exploited by the attackers and has added new monitoring and alerting capabilities to flag anomalies associated with these attack vectors.

All vulnerabilities are limited exclusively to FTA. They do not in any way impact Accellion’s enterprise content firewall platform known as kiteworks. The vast majority of Accellion’s clients reside on the kiteworks platform, which is built on an entirely different code base, using state-of-the-art security architecture, and a segregated, secure development process.

In mid-December, Accellion was made aware of a zero-day vulnerability in its legacy FTA software. Accellion released a fix within 72 hours. This initial incident was the beginning of a concerted cyberattack on the Accellion FTA product that continued into January 2021. Accellion identified additional exploits in the ensuing weeks and rapidly developed and released patches to close each vulnerability. Accellion continues to work closely with FTA customers to mitigate the impact of the attack and to monitor for anomalies.

“Our latest release of FTA has addressed all known vulnerabilities at this time,” commented Frank Balonis, Accellion’s Chief Information Security Officer. “Future exploits, however, are a constant threat. We have encouraged all FTA customers to migrate to kiteworks for the last three years and have accelerated our FTA end-of-life plans in light of these attacks. We remain committed to assisting our FTA customers, but strongly urge them to migrate to kiteworks as soon as possible.”

Looks to me like Accellion might have been wise to bring FTA to end-of-life somewhat sooner.

Sharon D. Nelson, Esq., President, Sensei Enterprises, Inc.
3975 University Drive, Suite 225|Fairfax, VA 22030
Email: Phone: 703-359-0700
Digital Forensics/Cybersecurity/Information Technology
https://senseient.com
https://twitter.com/sharonnelsonesq
https://www.linkedin.com/in/sharondnelson
https://amazon.com/author/sharonnelson