Shell Hacked Via Accellion FTA

Royal Dutch Shell, the petrochemical giant (and one of the largest companies in the world), is the latest in a string of high-profile victims to have suffered a data breach in connection with beleaguered cloud provider Accellion.

Shell announced last week that a “data security incident” had occurred involving its use of Accellion’s secure file-transfer application (FTA), a product it uses to “securely transfer large data files.”

Despite the name, FTA is ironically anything but secure: In December, it was disclosed that the product had multiple zero-day vulnerabilities, the likes of which were being targeted by a data-stealing hacker group. Since then, dozens of organizations have admitted to being victimized by the hacking campaign—a list Shell now woefully joins.

In what has become a predictable routine, the energy giant said last week that an “unauthorized party” used FTA’s vulnerabilities to gain “access to various files during a limited window of time.” Those files included “personal data” and “data from Shell companies and some of their stakeholders.” The oil company’s networks were unaffected by the incident, the company said.

“Upon learning of the incident, Shell addressed the vulnerabilities with its service provider and cyber security team, and started an investigation to better understand the nature and extent of the incident. There is no evidence of any impact to Shell’s core IT systems as the file transfer service is isolated from the rest of Shell’s digital infrastructure,” the company wrote in a statement.

The vagueness of this alert is such that it could mean virtually anything. It’s unclear just how much data was stolen, what type it was, or how many people might be affected by it. This could be really bad for Shell… or, it could be that the hackers really didn’t get anything that exciting. Who can say!

However, if past hacks give any indication, Shell might be in for a rough time. The degree to which large, prominent organizations have been affected by Accellion’s debacle has, at times, been surprising (see: Kroger, the largest grocery chain in the U.S., or Jones Day, a global law firm that recently represented ex-President Trump amidst his ill-founded efforts to overturn the 2020 presidential election).

More recently, the list has ballooned to include Canadian aerospace manufacturer Bombardier (whose spy plane blueprints were leaked all over the internet by hackers); global cloud security provider Qualys; a major transport agency in Australia; and Flagstar Bank, a large banking corporation, which recently announced that some of their customers’ social security numbers had been stolen in the hack.

Whether this list will continue to grow is anyone’s guess. However, the fact that Accellion was issuing patches up until March means it’s definitely possible that more breach disclosures could currently be in the works.