Kroger, the U.S.-based supermarket chain, is the latest victim of a data breach through Accellion’s legacy file transfer software. In an official notice, the retail giant admitted that it was impacted by a security breach after an unauthorized third-party illicitly gained access to certain Kroger files that affected some of its customers’ information.
The data breach occurred due to a bug in Accellion’s file-sharing software, which was also used by New Zealand’s Reserve Bank that recently faced a cyberattack. Based in California, Accellion is a private cloud solutions company that provides software for third-party secure file transfers.
The security incident affected Accellion’s services and did not impact Kroger’s IT systems. Based on the primary investigation, the exposed information includes certain associates’ HR data, pharmacy records, and money services records. Kroger also clarified that no credit/debit cards, digital wallet information, or customer account passwords were affected by the incident. Upon discovery, Kroger discontinued the use of Accellion’s services and reported the incident to federal law enforcement for further investigation.
While there is no evidence of any misuse of personal information, Kroger stated that it is directly notifying the impacted customers and offering them free comprehensive credit monitoring services.
The Ripples of Accellion’s Bug
Cybercriminals attacked several organizations globally by exploiting the Accellion vulnerability. Several critical organizations like the Office of the Washington State Auditor (SAO), the Australian Securities and Investment Commission (ASIC), and New Zealand’s Reserve Bank suffered security breaches. Recently, Singapore telco giant Singtel issued a statement confirming that over 129,000 of its customers’ data has been breached after attackers exploited the bug in Accellion’s software used by the company.