Exploitation of Vulnerabilities in Accellion File Transfer Appliance Gave Hackers Access to Data of Kroger Customers

Kroger has announced it has suffered a data security incident involving the exploitation of SQL injection vulnerabilities in its Accellion File Transfer Appliance (FTA). The Accellion FTA is a legacy appliance that was released around 20 years ago as a secure file transfer solution for sharing files too large to send via email.

A zero-day vulnerability in the product was first identified by Accellion in mid-December 2020, with a further three vulnerabilities subsequently identified. Some of those vulnerabilities were exploited by a threat actor to gain access to the vulnerable devices. The hacker then installed a web shell which was used to exfiltrate sensitive data.

Accellion explained in a February 22, 2021 press release that Mandiant had investigated the security incident and attributed the attacks to a criminal hacker tracked as UNC2546. UNC2546 has been linked to the FIN11 hacking group and CL0P ransomware operation.

In January, several Accellion FTA customers reported receiving ransom demands for the return of stolen data. Threats were made to publish stolen data on the CL0P ransomware data leak site if the ransom was not paid. Accellion says around 300 customers use the Accellion FTA, fewer than 100 were victims of the attack, and fewer than 25 suffered significant data theft. Ransomware was not used in the attacks.

Kroger was alerted to the breach on January 23, 2021 and discontinued use of the Accellion FTA. An internal investigation was conducted to determine which information had potentially been stolen. Kroger said fewer than 1% of its customers were affected, most of whom were customers of Kroger Health and Money Services, including pharmacy and Little Clinic patients and beneficiaries of its Health and Welfare Benefit Plan and Retiree Health and Welfare Benefit Plan.

The breached information included patient names, addresses, telephone numbers, dates of birth, Social Security numbers, insurance claim information, prescription information, and some medical history information. No financial information or customer account passwords were compromised, and there have been no reports of the misuse of any customer data. Kroger has offered complimentary credit monitoring services to all affected customers.

The HHS’ Office for Civil Rights breach portal indicates 1,474,284 individuals were affected by the breach.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.