Security News > 2021 > June > Report: Accellion Failed to Notify Customers of FTA Zero-Day
Accellion failed to notify customers of a zero-day vulnerability in its file transfer application and related cyber-attacks targeting the security flaw, according to a new report from professional services firm KPMG. FTA is a large file transfer service that was retired at the end of April 2021, after being in use for roughly 20 years.
At the time of attack, FTA still had roughly 50 customers, and some already confirmed impact from the incident, including The Reserve Bank of New Zealand, the U.S.-based law firm Jones Day, the Office of the Washington State Auditor, and security and compliance solutions provider Qualys.
While Accellion did issue patches for the targeted security bugs, a problem with its email system prevented it from notifying impacted customers of the attacks in a timely manner, explains KPMG, which was engaged by the Reserve Bank of New Zealand - Te Pūtea Matua - to review the bank's response to the breach.
The bank was alerted to the vulnerability on January 6 only and applied the available patches the day after.
"We have not sighted evidence that the vendor informed the Bank that the System vulnerability was being actively exploited at other customers. This information, if provided in a timely manner is highly likely to have significantly influenced key decisions that were being made by the Bank at the time," KPMG said in the report.
"We were over-reliant on Accellion - the supplier of the file transfer application - to alert us to any vulnerabilities in their system. In this instance, their notifications to us did not leave their system and hence did not reach the Reserve Bank in advance of the breach. We received no advance warning," the bank's Governor Adrian Orr said.