A Qualys booth set up at a trade fair. (Thomas Springer, CC0, via Wikimedia Commons)

Cloud security company Qualys said that follow up investigations have confirmed that the data breach it suffered in late 2020 and early 2021 was limited to customer data housed on third-party service provider Accellion’s file transfer system. However, the company also shared intelligence that the attackers behind the incident are engaging in a tactic to make the exposed data set look more voluminous than it actually is.

In a detailed update posted on the Qualys website April 2, CISO Ben Carr said that an independent, third-party forensic firm has verified the company’s initial determination that the attack did not jump from Accellion’s file transfer appliance server to Qualys’ larger corporate network.

“The forensic firm concluded the threat actor did not move from the Accellion FTA server into any Qualys environment and that Qualys’ existing security rules would not have allowed any such access between the Accellion FTA server and Qualys’ corporate and production environment,” Carr wrote.

While the Clop ransomware group continues to leak stolen data from Qualys online in phases, Carr said everything published so far has been from the original pool of affected information identified by incident responders. He also said that following investigations with Accellion and Mandiant, the company is confident that they have a complete list of customers with files on the Accellion server at the time of the incident.

“So far, we have seen no evidence to suggest that the threat actor has posted any additional data,” wrote Carr. “If that changes, we will investigate further and reach out to affected customers.”

However, the company appears to still be investigating some aspects of the incident. For instance, the hackers posted a number of email addresses that “in many cases” appear to have been taken from the FTA server even though there was not a corresponding file present at the time of the attack.

Qualys believes that in some cases, the group may be attempting to pad its numbers to make it appear as if they stole more data than they actually did by combining file names from one customer with email addresses from another.

“According to analysis and insight from our third-party forensic experts, this appears to be a new tactic employed by this threat actor group, which we wanted to inform the broader security community about,” Carr wrote. “We also engaged an additional forensic firm who thoroughly analyzed the data for any signs of information about individual users, beyond business contact information, such as names, usernames, company email addresses, job titles, and office addresses. Their analysis did not find any evidence of additional information about individual users on the server.”

While other victims of the hack have reported incidents where the hackers directly emailing customers, Qualys is not aware of any evidence that this has happened with their customers.

Qualys is just one of many companies affected by the compromise of Accellion. Victims include oil giant Shell, powerhouse law firm Jones Day, Michigan-based Flagstar Bank, the national grocery store chain Kroger and numerous government and educational organizations. The update from Qualys comes a week after their CEO and chair of the board, Philippe Courtot, resigned from the company, citing health reasons.

EDITOR’S NOTE: An earlier version of this story incorrectly stated that Qualys CEO Philippe Courtot’s resignation was due to health issues “related to COVID.” Courtot’s health issues were unrelated to the virus. The story has been updated and SC Media regrets the error.