Kroger latest victim of Accellion breach

Edward Kost
Edward Kost
February 22, 2021

Kroger is the latest addition to a growing list of victims impacted by the cyber attack against the file transfer solution, Accellion.

Kroger is a Cincinnati-based grocery and pharmacy retailer with 2,750 grocery retail stores and 2,200 pharmacies across the United State. Kroger announced that less than 1% of its customers were impacted by the breach.

“At this time, based on the information provided by Accellion and its own investigation, Kroger believes that less than 1% of its customers, specifically customers of Kroger Health and Money Services, have been impacted,” Kroger said in its breach statement.

The compromised data did not include financial and login details.

“No credit or debit card information or customer account passwords were affected by this incident.”

After being notified of the incident on January 23 by Accellion, Kroger terminates its vendor relationship with them.

How did the Accellion breach happen?

The culprit behind this tumultuous global debacle is a legacy file-sharing app that should have been decommissioned years ago.

Accellion developed a solution to overcome the slender file size limitations of email attachments. The File Transfer Appliance (FTA) was created, allowing recipients to download large files via a link in an email instead of attaching them.

This technology was revolutionary for its time. Law, finance, and even government sectors embraced the solution saving them from email attachment frustrations.

But that was 20 years.

Even though file sharing has significantly evolved into secure cloud solutions, prestigious organizations are still using the legacy Accellion product to this day.

With such an irresistible network protected by perforated defenses, it was a matter of time before a hacker tore through Accellion’s security and claimed their prize.

There were several vulnerabilities exposing FTA, these included:

  • An FTA interface SQL injection flaw 
  • An XSS flaw in FTA’s file manager
  • A blind SQL injection flaw in FTA’s admin interface
  • A command injection flaw in FTA’s admin interface 

These vulnerabilities remain unpatched, and despite Accellion’s prompts, legacy customers didn’t transition to the company’s updated file sharing solutions. 

In mid-December 2020, an attacker finally breached Accellion, accessing the private data of the many customers still using their legacy product at the time.

Some of the victims impacted by this attack include:

This list keeps growing with victims surfacing almost every week. Accellion has financially decided to retire its legacy FTA software on April 30, 2021.

This incident, which will likely continue to unfold deep into 2021, uncovers two concerning trends - the liberal adoption of insecure legacy solutions and poor vendor security practices.

To sever these dangerous trends, organizations need to evaluate the security of their internal solutions and scrutinize the defense efforts of their vendors.

How secure is Kroger?

The Kroger Co., or simply Kroger, is an American retailing company founded by Bernard Kroger in 1883 in Cincinnati, Ohio. It is the United States's largest supermarket chain by revenue ($115.34 billion for fiscal year 2016), the second-largest general retailer (behind Walmart) and the seventeenth largest company in the United States. Kroger is also the third-largest retailer in the world and the third largest private employer in the United States.As of September 2018, Kroger operates, either directly or through its subsidiaries, 2,769 supermarkets and multi-department stores.
  • Check icon
    View our free preliminary report on Kroger’s security posture
  • Check icon
    13 risk factors, including email security, SSL, DNS health, open ports and common vulnerabilities
Security ratings
Abstract shape
Deliver icon

Sign up for our newsletter

Stay up-to-date on everything UpGuard with our monthly newsletter, full of product updates, company highlights, free cybersecurity resources, and more.
UpGuard customer support teamUpGuard customer support teamUpGuard customer support team

Protect your organization

Get in touch or book a free demo.
Free instant security score

How secure is your organization?

Request a free cybersecurity report to discover key risks on your website, email, network, and brand.
  • Check icon
    Instant insights you can act on immediately
  • Check icon
    Hundreds of risk factors including email security, SSL, DNS health, open ports and common vulnerabilities
Website Security scan resultsWebsite Security scan rating