US Retailer Kroger Admits Accellion Breach

Written by

US retail giant Kroger has become the latest big-name brand to admit it suffered a data breach via legacy file transfer software.

The supermarket chain, America’s largest by revenue, posted the notice late last week.

It revealed that some of the firm’s customers and employees may have had their data compromised by a malicious third party who exploited a vulnerability in Accellion’s FTA platform.

“After being informed of the incident, Kroger discontinued the use of Accellion’s services, reported the incident to federal law enforcement and initiated its own forensic investigation to review the potential scope and impact of the incident,” the company said.

“Kroger’s own IT systems have not been affected by this incident. No grocery store data or systems, credit or debit card (including digital wallet) information, or customer account passwords were impacted. However, Kroger believes certain associate HR data, certain pharmacy records and certain money services records have been affected.”

Kroger said it was in the process of notifying those affected, claiming that there hasn’t been any indication of fraud or data misuse so far.

The retailer is the latest in a string of organizations to admit they were compromised via the legacy FTA product. Others include Singtel and the New Zealand Central Bank.

It’s unclear whether Kroger’s attackers exploited a vulnerability patched by Accellion over the Christmas period or one discovered by the vendor in January.

The statement would seem to indicate the latter, as Accellion informed Singtel on the same day (January 23) in an advisory for a new bug that the December 27 patch hadn’t fixed. The telecoms giant said it had likely been attacked on January 20.

Back in December, Kroger was one of the 30 top US retailers found to have connections to a vulnerable third-party asset.

Cincinnati-headquartered Kroger operates nearly 3000 stores across the US, and has over 400,000 employees.

What’s hot on Infosecurity Magazine?