Kroger became the latest major company to announce a data breach, acknowledging in a statement that information from some current and former employees as well as customers of Kroger Health and Money Services were impacted by an attack on a third-party file transfer tool from Accellion.
The company said it is in the process of contacting victims but confirmed that none of its IT systems or any grocery store systems or data were affected by the breach.
“No credit or debit card information or customer account passwords were affected by this incident. After being informed of the incident’s effect on January 23, 2021, Kroger discontinued the use of Accellion’s services, reported the incident to federal law enforcement, and initiated its own forensic investigation to review the potential scope and impact of the incident,” the statement said.
SEE: Social engineering: A cheat sheet for business professionals (free PDF) (TechRepublic)
“While Kroger has no indication of fraud or misuse of personal information as a result of this incident, out of an abundance of caution Kroger has arranged to offer credit monitoring to all affected individuals at no cost to them.”
Kroger was just one of many organizations affected by a larger attack on Accellion’s legacy File Transfer Appliance. According to the grocery chain’s statement, Accellion said “an unauthorized person gained access to certain Kroger files by exploiting a vulnerability” in the file transfer service.
Other victims of the same attack include the Reserve Bank of New Zealand, the University of Colorado, the auditor of Washington state and the law firm Jones Day, according to the Associated Press.
Security experts: End-of-life tools must be replaced
Multiple cybersecurity experts as well as FireEye’s analysis of the attack highlight that Accellion FTA is a 20-year-old application designed to allow an enterprise to securely transfer large files but it is nearing the end of life. Accellion asked its customers late last year to switch over to a new product it offers called kiteworks.
Karen Walsh, CEO at Allegro Solutions, explained that in late 2019, CentOS announced that it was no longer supporting CentOS 6 after November 2020.
Accellion’s FTA, Walsh said, relies on CentOS 6 to function and the company planned to migrate all of its customers to the new product before the Nov. 30 cut-off date but was not able to.
“This breach is another example of cybercriminals looking to exploit end-of-life tools, increasing the amount of scrutiny that companies should be placing on their legacy technologies. Functionally, this is an example of how supply chains create a domino effect,” Walsh said.
“Ultimately, this means that Accellion FTA customers were running a service that relied on a now-unsupported technology. As CentOS moved to end-of-life, Accellion needed to move their customers to a new platform. In the meantime, these malicious actors used a traditional SQL injection methodology to gain access.”
Oliver Tavakoli, CTO at Vectra, said the attack should serve as a reminder that security teams need to be keenly aware of the third-party tools they use, particularly with sensitive data, and to aggressively patch them.
Tavakoli also noted that organizations had to do a closer analysis of any legacy/near-end-of-life products which may longer be receiving the expected vulnerability testing efforts.
“The Accellion FTA hack has more in common with recent hacks of PulseSecure VPN servers than the more recent SolarWinds supply chain attack. When the vendor who supplies such a product spends 3 years trying to coax you to their new product, you may want to consider the subtext of that communication,” Tavakoli said.
He added that the attack was portable and required little customization because the purpose of Accellion’s FTA was to transfer large, potentially confidential data between organizations.
SolarWinds-like attacks on vendors
A number of cybersecurity experts expressed fears that attacks on companies like Accellion and SolarWinds were yet another example of the fraught situation facing organizations that rely on vendors and third-party systems to manage vital personal information.
Rehan Jalil, CEO of Securiti, said enterprises rely on their vendor’s resources, expertise and skills to protect data but without a standard security framework, attackers target low-hanging fruits such as outdated, legacy or vulnerable software to find sensitive data.
Jalil called on organizations to closely monitor and govern sensitive data they are responsible for while also creating data breach management plans and data maps of all data processing activities.
The unfortunate reality, according to Netenrich threat intelligence adviser John Bambenek, is that enterprises have little choice but to trust the vendors.
“Microsoft still has zero days from time to time and almost every other software vendor is far smaller than Microsoft,” Bambenek said. “While, at present, there is no one-way to protect against compromises of vendors, such an event is the first step in a long chain of events that lead to a breach.”
Many said companies needed to have more stringent assessments of third-party tool providers as well as automated security systems that could automatically detect any non-authorized activity.
But this is easier said than done, according to Purandar Das, CEO at Sotero. The task of orchestrating and ensuring security across the vendor/partner ecosystem is exponentially harder, given that the dependencies, the technology stack and the security practices multiply,” Das explained.
“The risk to data that is shared. Organizations engage vendors and service providers under the belief that they will meet or exceed in-house security standards. It is a good bar to set but difficult one to enforce given the lack of visibility and control,” Das said.
“Ultimately, the continued loss of information, entrusted to organizations, will cause reputational damage to companies and the trust they hope to earn. Organizations have to start owning the security of their data whether it is with them or with another partner. They need to ensure that their data can be kept safe even if a third party is compromised.”