Full Report
Kroger is the latest addition to a growing list of victims impacted by the cyber attack against the file transfer solution, Accellion.
Analysis Summary
# Incident Report: Accellion File Transfer Appliance (FTA) Breach Impacting Kroger
## Executive Summary
Kroger was among several organizations impacted by a large-scale cyber attack exploiting vulnerabilities in the legacy Accellion File Transfer Appliance (FTA) solution used by the vendor. The breach, which was identified on January 23rd after the initial compromise occurred in mid-December 2020, resulted in the exposure of data related to Kroger Health and Money Services customers. Kroger responded by immediately terminating its relationship with Accellion.
## Incident Details
- **Discovery Date:** January 23, 2021 (Date Kroger was notified by Accellion)
- **Incident Date:** Mid-December 2020 (Approximate initial compromise date at Accellion)
- **Affected Organization:** Kroger (The Kroger Co.)
- **Sector:** Grocery and Pharmacy Retail
- **Geography:** United States
## Timeline of Events
### Initial Access
- **Date/Time:** Mid-December 2020 (Approximate)
- **Vector:** Exploitation of unpatched vulnerabilities in the Accellion File Transfer Appliance (FTA) used by Kroger's vendor, Accellion.
- **Details:** Attackers leveraged several flaws in the legacy FTA, including SQL injection, blind SQL injection, XSS, and command injection flaws within the admin and file manager interfaces of the product used by Accellion's clients.
### Lateral Movement
- Not explicitly detailed within the scope of Kroger's specific impact, but assumed to be internal compromise within the Accellion environment leading to data access.
### Data Exfiltration/Impact
- **What was stolen or damaged:** Data pertaining to less than 1% of Kroger customers, specifically those using Kroger Health and Money Services.
- **Note:** Financial and login details (credit/debit card information or account passwords) were confirmed *not* to be affected.
### Detection & Response
- **How it was discovered:** Accellion notified Kroger of the incident on January 23, 2021.
- **Response actions taken:** Kroger investigated, confirmed the limited customer impact, and immediately terminated its vendor relationship with Accellion.
## Attack Methodology
- **Initial Access:** Exploitation of multiple known, unpatched vulnerabilities (SQL injection, XSS, Command Injection) in the Accellion FTA software.
- **Persistence:** Not detailed (Focus is on vendor compromise).
- **Privilege Escalation:** Not detailed (Focus is on vendor compromise).
- **Defense Evasion:** Not detailed.
- **Credential Access:** Not detailed.
- **Discovery:** Not detailed.
- **Lateral Movement:** Not detailed.
- **Collection:** Data related to Kroger Health and Money Services customers was collected from the shared FTA solution.
- **Exfiltration:** Data was exfiltrated from the compromised Accellion environment.
- **Impact:** Unauthorized access and exposure of customer PII/other non-financial data.
## Impact Assessment
- **Financial:** Estimated costs not available, but Kroger incurred costs related to investigation and vendor termination.
- **Data Breach:** Data of less than 1% of Kroger customers, specifically from Kroger Health and Money Services. No credit card or password data was compromised.
- **Operational:** No direct mention of major operational disruption for Kroger operations, beyond managing the breach disclosure and vendor severance.
- **Reputational:** Negative publicity resulting from being listed among victims of the wide-reaching Accellion breach.
## Indicators of Compromise
*Indicators related to the underlying Accellion FTA vulnerability exploitation are generally applicable across all victims (e.g., exploitation attempts against specific application endpoints).*
- **Network indicators (Defanged):** Not specified for Kroger's environment; Indicators would be associated with communication channels utilized by the compromised Accellion server.
- **File indicators:** Not specified.
- **Behavioral indicators:** Unauthenticated exploitation attempts targeting Accellion FTA interfaces (e.g., attempts to execute commands or inject queries via known vulnerable parameters).
## Response Actions
- **Containment measures:** Immediate termination of the vendor relationship with Accellion to prevent any further potential exposure originating from that platform.
- **Eradication steps:** Decommissioning or migration away from the compromised Accellion platform (implied by vendor termination).
- **Recovery actions:** Direct communication with affected customers (less than 1% of the total base) regarding the data exposure.
## Lessons Learned
- The prevalence and risk associated with using widely adopted, yet obsolete and unpatched, legacy solutions (Accellion FTA).
- The criticality of robust third-party vendor security hygiene; the primary vector of compromise for Kroger was a vendor's environment, not Kroger's primary network infrastructure.
- The importance of vendor risk management (VRM) to scrutinize the security practices of partners hosting sensitive data.
## Recommendations
- Aggressively inventory and decommission all legacy file transfer solutions that are past end-of-life or have known, critical, unpatched vulnerabilities.
- Implement rigorous Third-Party Risk Management (TPRM) programs to assess and continuously monitor the security posture of all vendors handling organizational or customer data.
- Ensure timely patching, especially for critical infrastructure components, even if vendor prompts are ignored or delayed by the vendor itself.