Personal and financial information stolen from Stanford Medicine, University of Maryland Baltimore (UMB), and the University of California was leaked online by the Clop ransomware group.
The threat actors obtained the documents after hacking the universities’
Data stolen in the attack targeting Stanford Medicine’s Accellion server includes names, addresses, email addresses, Social Security numbers, and financial information, reported the Stanford Daily.
“We discovered the breach earlier this week when the hackers posted evidence that they had accessed a limited number of files in our system containing some personally identifiable information,” UMB also told DataBreaches.net.
“UC has learned that it, along with other universities, government agencies, and private companies throughout the country, was recently subject to a cybersecurity attack,” a statement issued by the UC Office of the President reads.
“The attack involves the use of Accellion, a vendor used by many organizations for secure file transfer, in which an unauthorized individual appears to have copied and transferred UC files by exploiting a vulnerability in Accellion’s file-transfer service.”
The ransomware gang started leaking the universities’ data during late March, attempting to coerce them to pay ransoms to have the stolen data deleted and the leaks stopped.
The attackers haven’t gained access to universities’ internal networks, with the incident only impacting their Accellion servers.
While still unclear if Clop is behind these Accellion attacks or they’re collaborating with another group, a joint statement from Mandiant and Accellion shed more light on these attacks also linking them to a second operation, the FIN11 cybercrime group.
BleepingComputer has reported multiple data breaches affecting companies and organizations after these threat actors successfully compromised their Accellion FTA servers and exfiltrated sensitive information.
Five Eyes members also issued a joint security advisory in February about ongoing attacks and extortion attempts targeting orgs that use vulnerable Accellion File Transfer Appliance (FTA) versions.
In related news, Brown University, a private Ivy League research university, is still working on bringing systems online after it had to disable them following a cyberattack on Tuesday.