Experts Weigh In on Fallout From HBS Data Breach

Following a data breach of the Harvard Business School’s secure file transfer system in December, experts said they foresee ongoing consequences for the system’s users.

The HBS breach occurred when a third party exploited the secure file transfer system Accellion File Transfer Application and downloaded students’ personal information. Other affected institutions using the system included the Reserve Bank of New Zealand, Washington’s State Auditor Office, Canadian jet manufacturer Bombardier, and Jones Day Law Firm, which represented Donald J. Trump’s administration and reelection campaign.

On March 1, Accellion announced that it retained FireEye Mandiant, a cybersecurity forensics firm, to scour the FTA for vulnerabilities by performing penetration testing and reviewing code. Acellion also charged Mandiant with investigating the cyberattacks.

Isif Ibrahima, a threat analyst at Mandiant who worked on a report about the breach, said Mandiant tracked two groups involved with the stolen data: UNC2546 and UNC2582.

UNC2546 was responsible for the FTA exploitation and exfiltration, where hackers took advantage of a zero-day vulnerability in the device. Lauren Zabierek, a cybersecurity expert at the Kennedy School, described a zero-day vulnerability as a “hole.”

She added that because FTA is a 20-year-old legacy product nearing the end of its life, “these holes weren’t being patched.”

Accellion offers a migration service free of cost for clients to transfer data from FTA to the newer Kiteworks system. HBS declined to comment on why the Business School did not migrate to the new system before the breach.

In December, UNC2546 installed software that allowed the group to “execute commands on the compromised system” — which, in this case, involved the exfiltration of sensitive data — according to Ibrahima. The other group, UNC2582, then began extorting data theft victims in January.

With “significant overlaps” between the two groups, Mandiant now believes they are “related,” according to Ibrahima. He said the data stolen in the hack was the same data used to extort, thereby linking the groups.

Ibrahima also said that larger organizations tend to be at risk for “potentially widespread data theft and disclosure.”

Accellion has announced it will not be renewing FTA after April 30, and HUIT announced in February that Kiteworks would be made available to 9 out of 12 schools in the University, in addition to Radcliffe, FAS, and the Central Administration.

HUIT spokesperson Tim Bailey wrote that the breach only affected the Business School. The Business School declined to comment.

Zabierek said threat groups are often financially motivated to extort victims of data theft for money. She added that the data can end up with far-reaching entities.

“People looking to use that information could range anywhere between criminals through potentially nation-state actors,” she said. “So it’s not only just a question of personal security and data security and company security as far as all your data is concerned, but it’s also a national security issue as well.”

For affected students, Ibrahima recommended credit monitoring, calling the compromising of social security numbers as “pretty tangible and pretty serious.”

As for HBS, Ibrihma recommended that the school ensure “products are up to date” — either by patching or migrating to the newest available product. He also recommended regular review of logs from Internet-facing devices “for any anomalous activity.”

—Staff writer Carrie Hsu can be reached at carrie.hsu@thecrimson.com.