The Organization

Bombardier Inc. is a Canadian multinational aerospace manufacturer headquartered in Montréal, Quebec. At the time of the breach, Bombardier was one of the world’s leading business jet manufacturers, producing the Global, Challenger, and Learjet families of aircraft. The company employed tens of thousands of people globally and held some of the most sensitive aerospace intellectual property in Canada — detailed aircraft designs, flight test data, manufacturing processes, and supplier specifications.

Bombardier was not a small subcontractor. It was a Tier 1 aerospace OEM with a substantial IT and security organization. And yet, the breach didn’t come through Bombardier’s own network — it came through a third-party tool that Bombardier relied on to transfer files.

What Happened

In late December 2020, a Russian-speaking cybercrime group known as Cl0p exploited a zero-day vulnerability in Accellion’s legacy File Transfer Appliance (FTA) — a decades-old file-sharing product used by organizations worldwide to send large files securely. The vulnerability (CVE-2021-27101 and related CVEs) allowed unauthenticated remote code execution on the FTA, giving attackers direct access to files stored on or passing through the appliance.

Bombardier was one of approximately 100 organizations compromised through this vulnerability. The attackers accessed and exfiltrated confidential data, including design documents for aircraft components, manufacturing specifications, and employee personal information. In February 2021, Cl0p began publishing stolen Bombardier data on its dark web leak site to pressure payment.

The attack was not targeted specifically at Bombardier. Cl0p systematically exploited the Accellion FTA vulnerability across every organization running the vulnerable appliance. Bombardier was collateral — but the data stolen was anything but generic. Aerospace design documents and supplier specifications represent years of R&D investment and, in some cases, export-controlled technical data subject to ITAR and Canadian Controlled Goods regulations.

The Impact

Data exposed: Confidential aircraft design data, component manufacturing details, supplier specifications, and employee personal information were confirmed compromised. Bombardier acknowledged the breach publicly after stolen data appeared on the Cl0p leak site.

IP exposure: Aerospace design documents are among the most sensitive categories of intellectual property in any industry. Detailed component designs and manufacturing specifications — once exposed — cannot be “unexposed.” Competitors, foreign intelligence services, and counterfeit parts manufacturers all benefit from this type of disclosure.

Regulatory implications: Depending on the nature of the documents exfiltrated, the breach potentially implicated ITAR export control requirements, Canada’s Controlled Goods Program obligations, and PIPEDA breach notification requirements for affected employees. The regulatory complexity of an A&D data breach extends far beyond privacy law.

Supply chain trust: Bombardier’s customers — corporate flight departments, charter operators, governments — and its supply chain partners had to assess whether their own proprietary information was included in the compromised data. A breach at an OEM ripples through the entire supply chain.

Root Causes — What Went Wrong

1. Reliance on a Legacy Third-Party File Transfer Tool

Accellion’s FTA was a product nearing end-of-life. Accellion itself had been urging customers to migrate to its newer platform (Kiteworks) for years. Bombardier — like many large organizations — continued using the legacy tool because it was embedded in operational workflows. The attackers didn’t need to breach Bombardier’s own security — they breached a tool Bombardier trusted.

2. Insufficient Vendor Risk Management for Critical Data Flows

File transfer tools that carry sensitive aerospace IP should be subject to the same security scrutiny as any system processing controlled or classified data. The Accellion FTA was a known legacy product with a history of vulnerabilities. A rigorous vendor risk management program would have identified the FTA as a high-risk component and prioritized its replacement or compensating controls.

3. No Data Classification Enforcement on Transfer Channels

Aerospace organizations handle data at multiple classification levels — from general corporate information to ITAR-restricted technical data. When all categories of data flow through the same transfer tool, a compromise of that tool exposes everything. There was no evidence that data classification controls restricted what types of data could be sent through the Accellion FTA.

4. Limited Detection of Third-Party Compromise

The Accellion FTA exploitation was discovered by Accellion (with Mandiant’s assistance), not by the individual organizations using the tool. Bombardier’s own security monitoring did not detect the unauthorized access and exfiltration occurring through a trusted, externally hosted tool. Third-party compromise is a blind spot for organizations that monitor their own perimeter but not their supply chain’s.

What AlecTech Would Have Done Differently

The Bombardier breach illustrates a pattern we see across aerospace and defence: organizations invest heavily in perimeter security while critical data flows through third-party tools that receive far less scrutiny. Here’s how AlecTech’s approach addresses each root cause:

Third-Party & Supply Chain Security Assessment (VCISO + Managed IT)

AlecTech’s VCISO service includes continuous vendor risk assessment for every tool and service provider that touches sensitive data. We maintain an inventory of all third-party data flows, assess vendor security posture against NIST 800-171 and CMMC requirements, flag end-of-life products like the Accellion FTA for immediate migration, and enforce contractual security requirements on vendors handling controlled or export-restricted data. The Accellion FTA would have been flagged as an unacceptable risk long before Cl0p found it.

ITAR-Compliant Secure File Transfer (Managed IT)

We architect secure collaboration and file transfer environments purpose-built for aerospace data: GovCloud-hosted file sharing with geographic access controls, data classification enforcement that prevents ITAR-restricted data from flowing through unauthorized channels, end-to-end encryption, and comprehensive audit logging that satisfies both ITAR record-keeping and CGP requirements. Sensitive aerospace IP never touches a legacy tool.

Data Loss Prevention Across All Transfer Channels (MDR & SOC)

Our SOC deploys DLP policies that monitor data movement across all channels — email, cloud storage, file transfer tools, USB devices, and web uploads. When engineering drawings bearing ITAR markings move through an unapproved channel, our systems flag it. When a file transfer tool begins sending data to an unexpected destination, we detect it. The Bombardier data was exfiltrated to attacker-controlled infrastructure — and DLP monitoring at the network layer would have identified that anomalous outbound transfer.

Insider Threat & Departure Monitoring (MDR & SOC + Themis)

While the Bombardier breach was an external attack, the exfiltrated data included the type of IP that insider threats also target. Our monitoring covers both vectors: external compromise detection and internal behavioural analytics that flag anomalous access to design repositories, bulk downloads of engineering data, and data movement by employees who have given notice or are under investigation. You can’t protect aerospace IP if you only watch one direction.

The Numbers That Matter

Organizations affected by Accellion FTA breach	~100 worldwide
Attack vector	Zero-day in legacy file transfer tool (not Bombardier’s network)
Data exposed	Aircraft design documents, manufacturing specs, employee PII
Threat actor	Cl0p ransomware/extortion group
How it was discovered	Accellion/Mandiant (not internal detection)
Regulatory exposure	ITAR, Controlled Goods Program, PIPEDA
Product status at time of breach	Accellion FTA was nearing end-of-life
Key lesson	Third-party tools carrying sensitive data are your attack surface

Key Takeaway

Bombardier didn’t get breached because its own security failed. It got breached because a third-party file transfer tool it depended on had a critical vulnerability — and the data flowing through that tool included some of the most sensitive aerospace IP in Canada. The lesson for every Canadian A&D organization is clear: your security perimeter doesn’t end at your firewall. It extends to every vendor, every tool, and every data flow that touches your controlled information. If you’re not assessing and securing those third-party connections, you’re not securing your IP — you’re hoping someone else is.