Clinical trial files accessed after ‘secure sharing service’ suffers cyber intrusion

Australian research institute confirms 'likely' data breach after third-party Accellion hack

The QIMR Berghofer Medical Research Institute in Brisbane, Australia, is investigating a “likely” data breach after a third-party service was compromised.

The medical research institution said its early investigation indicates that certain data stored in file-sharing system Accellion has been accessed.

Accellion, a US-based company that offers a secure file sharing system, announced it had been the victim of a cyber-attack on December 25 last year.

Read more of the latest data breach news

QIMR Berghofer said it was informed by Accellion on January 4, 2021, to apply a security patch, which it says it did so “immediately”, after also taking the software offline.

On February 2, the medical organization said it was told that it had been affected by the data breach. The institute’s investigation revealed that around 4% of its data held by Accellion had been accessed.

Nine employees of QIMR Berghofer used Accellion’s service, a press release states.

Stolen files

QIMR Berghofer said that it used Accellion’s services to share data related to clinical trials of anti-malaria drugs. However, it confirmed that no personally identifiable information was stored in the files.

Instead, the organization said that codes are used to refer to study participants.

A statement from QIMR Berghofer reads: “Some of the documents in Accellion include de-identified information such as the initials, date of birth, age, gender, and ethnic group of clinical trial participants, as well as the participant codes.

“Some other documents include participants’ de-identified medical histories, along with their codes.”

In addition to the clinical trial data, the resumés of an estimated 30 current and former research staff were also stored in Accellion and could potentially have been accessed.

QIMR Berghofer also uses the software to share some internal files, and to share documents with the Mosquito and Arbovirus Research Committee, it said.

YOU MAY ALSO LIKE Tokyo Gas discloses data breach impacting anime-style dating simulation game

“We are very concerned that some data appears to have been accessed and I want to say a sincere sorry to our stakeholders, particularly our clinical trial partners and members of the public who took part in our anti-malarial drug trials,” QIMR Berghofer’s director and CEO, Professor Fabienne Mackay, said.

Professor Mackay added: “We don’t believe that any of the information in Accellion could be used to identify any of these participants, but nonetheless, I want to apologise sincerely that some of their de-identified information could potentially have been accessed.

“Many of these files have to be kept for 15 years. However, they did not need to be stored in Accellion. We are examining our protocols for using third-party file-sharing services and will put procedures in place to try to ensure that files are regularly reviewed and saved in the most secure location.”

Zero-day vulnerability

The breach at Accellion impacted a number of organizations worldwide after a 20-year-old product that was nearing end of life – Accellion FTA – was targeted.

Accellion said that attackers took advantage of a zero-day product in the legacy software during the “sophisticated” hack.

All known issues have since been patched, said the company, adding that it has employed “new monitoring and alerting capabilities to flag anomalies associated with these attack vectors”.

Last month, New Zealand’s Reserve Bank of New Zealand – Te Pūtea Matua – announced it had also been the victim of a data breach following the incident.

The central bank said that the personal and sensitive information of clients had potentially been accessed after the unknown hackers gained access to files stored in Accellion.

Bank Governor Adrian Orr described the breach as “significant” and apologized “unreservedly” for the incident.

READ MORE Data breach at New Zealand’s Reserve Bank after third-party service hack