The QIMR Berghofer Medical Research Institute in Brisbane, Australia is currently investigating a data breach “likely” which occurred when a third-party service was compromised.
The research institute, as in the early stage of investigation claims that the data stored in “Accellion” has been accessed illegally
Accellion is a U.S based software company that assures secure file sharing. They have declared that they were under a cyber-attack on December 25,2020.
QIMR Berghofer says, it was informed by Accillion to apply a security patch, which they did so immediately by taking the software offline.
It was officially on February 2, the research institute were informed about the data breach.
The investigation conducted by the medical research centre reveals that 4% of data held by Accellion has been accessed.
Nine of the employees in QIMR Berghofer used Accellion’s service, a press release declares.
Stolen data
As per the investigation lead, Accellion services stored data related to clinical trials and anti-malarial drugs.
However, the researchers confirm no personal information was disclosed by the attacker.
Only the codes that are used to refer study participants were compromised.
QIMR Berghofer states, “Some of the documents in Accellion include de-identified information such as date of birth, initials, gender, age and ethnic group of clinical trial participants, as well as participant codes”
“Some other documents which included participants, de-identified medical histories were abducted in the attack”.
Along with the clinical trial data’s, resumes of around 30 current and former research staffs were stored in the Accellion and there are possibilities that they may also have been accessed.
QIMR also used this file sharing system to split documents with the Mosquito and Arbovious Research committee
The CEO responds
Professor Fabienne Mackay, the director and CEO of QIMR Berghofer Research centre responds to the issue, “We are very concerned that some data seemed to have accessed and I wanted to convey a sincere apology to our
stakeholders, particularly our clinical trial partners and members of the public who took part in our Anti-malarial drug trials.
He also added that, “We do not believe that any of the data in Accellion could be used to identify any of those participants, but nonetheless, I beg your pardon that some of their de-identified information could potentially have been accessed”
“Many of these files have to be kept for 15 years. However, they did not need to be stored in Accellion. We are examining our protocols for using third-party file sharing and will put procedures in place to try to ensure that data’s are reviewed regularly and saved in the most secured location”.
Zero day vulnerability; the attack strategy
The breach had a severe impact on a number of organizations around the world, as a 20 year old data sharing software which was heading to an end, was targeted.
Accellion exclaimed that the attackers took advantage of zero-day product during the attack.
After the happening, the company patched all the know issues till date and also implemented new monitoring and alerting capabilities to flag off the abnormalities associated with the attack vectors.
In the month that followed after the attack, Te Putea Matua, the Reserve Bank of New Zealand also reported that they have been under a data breach that used the same strategy.
The Governor of the bank described the breach as “unique” and apologized for the happening.