Kroger is the latest addition to a growing list of victims impacted by the cyber attack against the file transfer solution, Accellion.
Kroger is a Cincinnati-based grocery and pharmacy retailer with 2,750 grocery retail stores and 2,200 pharmacies across the United State. Kroger announced that less than 1% of its customers were impacted by the breach.
“At this time, based on the information provided by Accellion and its own investigation, Kroger believes that less than 1% of its customers, specifically customers of Kroger Health and Money Services, have been impacted,” Kroger said in its breach statement.
The compromised data did not include financial and login details.
“No credit or debit card information or customer account passwords were affected by this incident.”
After being notified of the incident on January 23 by Accellion, Kroger terminates its vendor relationship with them.
How did the Accellion breach happen?
The culprit behind this tumultuous global debacle is a legacy file-sharing app that should have been decommissioned years ago.
Accellion developed a solution to overcome the slender file size limitations of email attachments. The File Transfer Appliance (FTA) was created, allowing recipients to download large files via a link in an email instead of attaching them.
This technology was revolutionary for its time. Law, finance, and even government sectors embraced the solution saving them from email attachment frustrations.
But that was 20 years.
Even though file sharing has significantly evolved into secure cloud solutions, prestigious organizations are still using the legacy Accellion product to this day.
With such an irresistible network protected by perforated defenses, it was a matter of time before a hacker tore through Accellion’s security and claimed their prize.
There were several vulnerabilities exposing FTA, these included:
- An FTA interface SQL injection flaw
- An XSS flaw in FTA’s file manager
- A blind SQL injection flaw in FTA’s admin interface
- A command injection flaw in FTA’s admin interface
These vulnerabilities remain unpatched, and despite Accellion’s prompts, legacy customers didn’t transition to the company’s updated file sharing solutions.
In mid-December 2020, an attacker finally breached Accellion, accessing the private data of the many customers still using their legacy product at the time.
Some of the victims impacted by this attack include:
- Washington State
- The Australian Securities and Investments Commission (ASIC)
- Reserve Bank of New Zealand
This list keeps growing with victims surfacing almost every week. Accellion has financially decided to retire its legacy FTA software on April 30, 2021.
This incident, which will likely continue to unfold deep into 2021, uncovers two concerning trends - the liberal adoption of insecure legacy solutions and poor vendor security practices.