Accellion was first breached back in December by the hacker groups Clop and FIN11. The hackers' program was explicitly targeted by Accellion's File Transfer Appliance, a secure file transfer service created 20 years ago, initially created to help companies overcome data limits on email attachments.
While Accellion has mostly kept the technical details of the data breach under wraps--to prevent more vulnerabilities from being discovered until they can be patched--the company's chief marketing officer revealed a few key details to Bank Info Security, including that the FTA has been attacked multiple times as hackers attempt to find new vulnerabilities, with attacks occurring as recently as last week.
Kroger was first notified that it had been a victim of the breach on January 23, though Kroger's data breach's exact timing has yet to be determined or released to the press, a new vulnerability was discovered on the day Kroger was notified.
Immediately after being notified, Kroger discontinued its use of Accellion's products and alerted the U.S. federal government to the data breach. Kroger has also begun its own digital forensic investigation to establish the full scope of the breach. Thanks to the hack targeting the FTA specifically, Kroger found that its own IT infrastructure was unaffected.
"Kroger's own IT systems have not been affected by this incident. No grocery store data or systems, credit or debit card (including digital wallet) information, or customer account passwords were impacted. However, Kroger believes certain associate HR data, certain pharmacy records, and certain money services records have been affected," the company said in a statement.
Luckily, it would appear that not many customers have been affected by the breach, with the company citing a figure of "less than 1%". It is also believed that the hackers may have had access to and viewed some employees' personnel records. Kroger has offered free credit monitoring to anyone who may have been affected by the breach.
Kroger is one of several known victims and is only the most recent company to have been confirmed as such. Other victims include the University of Colorado, Singapore Telecommunications