Kroger reports data breach from third-party file transfer service

The Kroger Co. has confirmed a data breach in connection with a vulnerability in file transfer software it used from data security and services firm Accellion Inc.

Kroger said late Friday that it received notification from Palo Alto, Calif.-based Accellion that an unauthorized person had gained access to certain Kroger files by exploiting a vulnerability in Accellion’s secure file-transfer appliance product, Accellion FTA. 

Based on information from Accellion and its own investigation, Kroger estimated that fewer than 1% of customers — specifically, from Kroger Health and Kroger Money Services — had data exposed, including certain pharmacy and money services records. Current associates and some former associates also will be notified that certain human resources records have been impacted by the breach, the Cincinnati-based grocer said.

“The incident was isolated to Accellion’s services and did not affect the Kroger Family of Companies’ IT systems or any grocery store systems or data,” Kroger stated Friday in announcing the Accellion breach. “No credit or debit card information or customer account passwords were affected by this incident.”

Kroger noted that it discontinued use of Accellion’s services after it was informed of the effect of the incident on Jan. 23. The retailer said that, at the time, it also reported the incident to federal law enforcement and launched its own forensic inquiry to review the potential scope and impact of the incident. Kroger also has posted an FAQ page about the incident on its website.

Related:Instacart says customer data hasn’t been breached

“Protecting data is a priority for the Kroger Family of Companies, and it is directly contacting all customers and associates who may have been affected to inform them of the incident,” Kroger said. “While Kroger has no indication of fraud or misuse of personal information as a result of this incident, out of an abundance of caution, Kroger has arranged to offer credit monitoring to all affected individuals at no cost to them.”

Accellion publicly announced the Accellion FTA security issue on Jan. 12. The company said it learned of a zero-day vulnerability in the legacy software in mid-December and resolved the issue and released a patch within 72 hours to the less than 50 customers affected. A 20-year-old product, Accellion FTA specializes in large file transfers.

In an update earlier this month, Accellion described the issue as a “sophisticated cyberattack.”

“All FTA customers were promptly notified of the attack on Dec. 23, 2020. At this time, Accellion has patched all known FTA vulnerabilities exploited by the attackers and has added new monitoring and alerting capabilities to flag anomalies associated with these attack vectors,” Accellion said in the Feb. 1 update. “This initial incident was the beginning of a concerted cyberattack on the Accellion FTA product that continued into January 2021. Accellion identified additional exploits in the ensuing weeks and rapidly developed and released patches to close each vulnerability. Accellion continues to work closely with FTA customers to mitigate the impact of the attack and to monitor for anomalies,” the company added.

Related:Hy-Vee says malware caused payment card data breach

Today, Accellion reported that an investigation by cybersecurity firm Mandiant identified “UNC2546” as the criminal hacker behind the cyberattacks and data breach involving Accellion FTA. Some FTA customers attacked by UNC2546 had received “extortion emails” threatening to publish stolen data, Accellion said.

Security gaps related to aging software remain a vulnerability for many businesses, according to security engineer Amit Sharma of Mountain View, Calif.-based IT services firm Synopsys.

“One of the most substantial security challenges organizations currently face is how to manage their legacy products. They may be built using older technologies and sometimes lack the security features that come with new languages and frameworks,” explained Sharma, who’s part of the Synopsys Software Integrity Group. “Organizations should enforce their application security governance, risk and compliance (GRC) policies on the portfolio of products they employ.”