Shell has disclosed a data breach involving stakeholders that exposed personal information records.
The oil and gas company said an unknown threat actor managed to gain access to "various files" during the time of intrusion which included personal data and information "from Shell companies and some of their stakeholders."
Shell has not disclosed how many individuals are involved in the security incident beyond saying that impacted parties have been contacted, alongside law enforcement agencies and regulators.
The firm added that it does not appear core IT systems have been compromised, as the route of access was isolated from the rest of Shell's central infrastructure.
However, the data breach has been connected to Accellion's File Transfer Appliance (FTA), enterprise software used to transfer large files -- and a solution linked to a string of security incidents in December 2020 and January 2021.
Accellion FTA, a legacy product that has now been formally retired, contained a zero-day vulnerability that was patched within three days of the vendor being made aware of active attacks utilizing the security flaw.
However, thousands of organizations worldwide rely on the appliance, leading to a string of attacks against high-profile corporations and government entities.
The first case was reported by the Reserve Bank of New Zealand. Organizations including the Australian Securities and Investments Commission (ASIC), Singtel, and Qualys soon followed.
FireEye's Mandiant team was pulled in to conduct an assessment of the Accellion FTA vulnerability, finding two further vulnerabilities -- albeit accessible only by authenticated FTA users -- and all bugs, as of now, have been resolved in FTA. If systems remain unpatched, however, they also remain vulnerable to exploit.
The companies said in February that threat group FIN11 has been connected to the FTA zero-day exploit activity.
"Out of approximately 300 total FTA clients, fewer than 100 were victims of the attack," Accellion said. "Within this group, fewer than 25 appear to have suffered significant data theft."
CVE-2021-27101, CVE-2021-27102, CVE-2021-27103, and CVE-2021-27104 have now been reserved to track associated vulnerabilities.
Users of Accellion FTA are recommended to switch to Kiteworks.
"We will continue to monitor our IT systems and improve our security," Shell says. "We regret the concern and inconvenience this may cause the affected parties."
Read the latest issue of the OGV Energy magazine HERE.
Bumi Armada adopts artificial intelligence technology to reduce operational emissions
Offshore US oil, gas facilities at ‘significant’ risk of cyberattack, watchdog warns
NSTA boosts North Sea technology use with innovative knowledge-sharing contract
Schlumberger launches Digital Platform Partner Programme