Sponsored By

Kroger reports data breach from third-party file transfer service

Impact limited to certain pharmacy, money services, HR records, company says

Russell Redman

February 22, 2021

3 Min Read
Kroger_Marketplace_store_banner-closeup.jpg
The Kroger Co. said the incident had no impact on the company's IT systems; grocery store systems or data; or customer credit/debit card information or account passwords.The Kroger Co.

The Kroger Co. has confirmed a data breach in connection with a vulnerability in file transfer software it used from data security and services firm Accellion Inc.

Kroger said late Friday that it received notification from Palo Alto, Calif.-based Accellion that an unauthorized person had gained access to certain Kroger files by exploiting a vulnerability in Accellion’s secure file-transfer appliance product, Accellion FTA. 

Based on information from Accellion and its own investigation, Kroger estimated that fewer than 1% of customers — specifically, from Kroger Health and Kroger Money Services — had data exposed, including certain pharmacy and money services records. Current associates and some former associates also will be notified that certain human resources records have been impacted by the breach, the Cincinnati-based grocer said.

“The incident was isolated to Accellion’s services and did not affect the Kroger Family of Companies’ IT systems or any grocery store systems or data,” Kroger stated Friday in announcing the Accellion breach. “No credit or debit card information or customer account passwords were affected by this incident.”

Kroger noted that it discontinued use of Accellion’s services after it was informed of the effect of the incident on Jan. 23. The retailer said that, at the time, it also reported the incident to federal law enforcement and launched its own forensic inquiry to review the potential scope and impact of the incident. Kroger also has posted an FAQ page about the incident on its website.

Related:Instacart says customer data hasn’t been breached

“Protecting data is a priority for the Kroger Family of Companies, and it is directly contacting all customers and associates who may have been affected to inform them of the incident,” Kroger said. “While Kroger has no indication of fraud or misuse of personal information as a result of this incident, out of an abundance of caution, Kroger has arranged to offer credit monitoring to all affected individuals at no cost to them.”

Accellion publicly announced the Accellion FTA security issue on Jan. 12. The company said it learned of a zero-day vulnerability in the legacy software in mid-December and resolved the issue and released a patch within 72 hours to the less than 50 customers affected. A 20-year-old product, Accellion FTA specializes in large file transfers.

In an update earlier this month, Accellion described the issue as a “sophisticated cyberattack.”

“All FTA customers were promptly notified of the attack on Dec. 23, 2020. At this time, Accellion has patched all known FTA vulnerabilities exploited by the attackers and has added new monitoring and alerting capabilities to flag anomalies associated with these attack vectors,” Accellion said in the Feb. 1 update. “This initial incident was the beginning of a concerted cyberattack on the Accellion FTA product that continued into January 2021. Accellion identified additional exploits in the ensuing weeks and rapidly developed and released patches to close each vulnerability. Accellion continues to work closely with FTA customers to mitigate the impact of the attack and to monitor for anomalies,” the company added.

Related:Hy-Vee says malware caused payment card data breach

Today, Accellion reported that an investigation by cybersecurity firm Mandiant identified “UNC2546” as the criminal hacker behind the cyberattacks and data breach involving Accellion FTA. Some FTA customers attacked by UNC2546 had received “extortion emails” threatening to publish stolen data, Accellion said.

Security gaps related to aging software remain a vulnerability for many businesses, according to security engineer Amit Sharma of Mountain View, Calif.-based IT services firm Synopsys.

“One of the most substantial security challenges organizations currently face is how to manage their legacy products. They may be built using older technologies and sometimes lack the security features that come with new languages and frameworks,” explained Sharma, who’s part of the Synopsys Software Integrity Group. “Organizations should enforce their application security governance, risk and compliance (GRC) policies on the portfolio of products they employ.”

About the Author

Russell Redman

Senior Editor
Supermarket News

Russell Redman has served as senior editor at Supermarket News since April 2018, his second tour with the publication. In his current role, he handles daily news coverage for the SN website and contributes news and features for the print magazine, as well as participates in special projects, podcasts and webinars and attends industry events. Russ joined SN from Racher Press Inc.’s Chain Drug Review and Mass Market Retailers magazines, where he served as desk/online editor for more than nine years, covering the food/drug/mass retail sector. 

Russell Redman’s more than 30 years of experience in journalism span a range of editorial manager, editor, reporter/writer and digital roles at a variety of publications and websites covering a breadth of industries, including retailing, pharmacy/health care, IT, digital home, financial technology, financial services, real estate/commercial property, pro audio/video and film. He started his career in 1989 as a local news reporter and editor, covering community news and politics in Long Island, N.Y. His background also includes an earlier stint at Supermarket News as center store editor and then financial editor in the mid-1990s. Russ holds a B.A. in journalism (minor in political science) from Hofstra University, where he also earned a certificate in digital/social media marketing in November 2016.

Russell Redman’s experience:

Supermarket News - Informa
Senior Editor 
April 2018 - present

Chain Drug Review/Mass Market Retailers - Racher Press
Desk/Online Editor 
Sept. 2008 - March 2018

CRN magazine - CMP Media
Managing Editor
May 2000 - June 2007

Bank Systems & Technology - Miller Freeman
Executive Editor/Managing Editor
Dec. 1996 - May 2000

Supermarket News - Fairchild Publications
Financial Editor/Associate Editor
April 1995 - Dec. 1996 

Shopping Centers Today Magazine - ICSC 
Desk Editor/Assistant Editor
Dec. 1992 - April 1995

Testa Communications
Assistant Editor/Contributing Editor (Music & Sound Retailer, Post, Producer, Sound & Communications and DJ Times magazines)
Jan. 1991 - Dec. 1992 

American Banker/Bond Buyer
Copy Editor
Oct. 1990 - Jan. 1991 

This Week newspaper - Chanry Communications
Reporter/Editor
May 1989 - July 1990

Stay up-to-date on the latest food retail news and trends
Subscribe to free eNewsletters from Supermarket News

You May Also Like