Royal Dutch Shell Plc  .com Rotating Header Image

Oil Giant Shell Victimized In December 2020 Hack

Oil Giant Shell Victimized In December 2020 Hack

Lee Mathews: Senior Contributor Cybersecurity: March 23, 2021
Royal Dutch Shell, the parent company of U.S.-based Shell Oil Company, has announced a security incident on its corporate website. Dozens of other companies were impacted by the same attack.

In December of 2020 hackers targeted a specific piece of hardware, Accellion’s File Transfer Appliance, with previously-unreported vulnerabilities. Once they breached the vulnerable servers the hackers began exfiltrating data.

Shell’s breach notice states that some of the files stolen “contained personal data and others included data from Shell companies and some of their stakeholders.” That tracks with what other victims of the attack reported — victims that include law firm Jones Day, Bombardier, Qualys and grocery chain Kroger.

Shell began working with Accellion as soon as the breach was detected and its internal cybersecurity team began investigating.

To date, Shell has seen no evidence that the attackers managed to infiltrate other systems. The File Transfer Appliance was isolated from the rest of Shell’s network which appears to have limited the damage.

Hackers may have zeroed in on Accellion’s 20-year-old FTA because its end-of-life was rapidly approaching. Accellion had previously announced that FTA would be sunset in April of this year.

The appliances utilized CentosOS 6, a Linux-based operating system that saw long-term support end in November of 2020. Aceellion had been urging all its customers to transition from FTA to its more modern and robust Kiteworks platform.

At the time of the attack there were still around 50 companies still using FTA. It’s believed that around half of those suffered significant data losses, though it may be some time before the true impact is understood.

Victims have received extortion emails from the CLoP threat actors, and those who have chosen not to meet their demands have seen data posted to a name-and-shame site on the dark web.

Lee started writing about software, hardware, and geek culture around the time that the Red Wings last won the Stanley Cup. The two aren’t related in any way, however.


This website and sisters,,,, and, are owned by John Donovan. There is also a Wikipedia segment.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Comment Rules

  • Please show respect to the opinions of others no matter how seemingly far-fetched.
  • Abusive, foul language, and/or divisive comments may be deleted without notice.
  • Each blog member is allowed limited comments, as displayed above the comment box.
  • Comments must be limited to the number of words displayed above the comment box.
  • Please limit one comment after any comment posted per post.