Accellion breach victim lists grows as Kroger discloses compromise

Dive Brief:

Kroger systems were compromised as part of the larger Accellion hack discovered in December, according to a company announcement. Employee HR data, pharmacy records and "certain money services records" were impacted. So far the grocer hasn't found evidence of fraud or misuse from the incident.
"Accellion notified Kroger that an unauthorized person gained access to certain Kroger files by exploiting a vulnerability in Accellion’s file transfer service," said Kroger. The company cut off use of Accellion services following the incident.
The grocer's IT systems were spared in the breach, and customer payment data was not affected. The grocer believes fewer than 1% of customers were involved in the breach; Kroger services 11 million customers daily across locations.

Dive Insight:

Accellion, a file sharing services vendor, which has 3,000 customers found a vulnerability in its File Transfer Appliance (FTA) product in December. At the time, Accellion notified the less than 50 customers impacted within three days of the discovery and issued patches. Accellion nor any of the organizations impacted by the hack have attributed who was behind the attack.

However, the company found other exploits in the FTA product in the weeks following the initial discovery. On Feb. 1, Accellion said it patched all vulnerabilities related to the company's FTA, the company's legacy large Accellion Provides Update to Recent FTA Security Incident file transfer product, though it expects more bugs to arise.

Accellion had encouraged customers to upgrade and migrate to Kiteworks, a secure file-sharing solution, for the last three years. Accellion accelerated FTA's "end-of-life plans" because of recent events, CISO Frank Balonis said in a company announcement.

Fallout of the Accellion incident is unfolding. More impacted FTA customers have come forward, including:

"This appears to be a 'mini SolarWinds' and the question is whether Accellion is a new variant or it's something different," said Sachin Bansal, general counsel at SecurityScorecard, in an email to Cybersecurity Dive. "But there are many parallels" between the attacks, which take advantage of a third-party technology provider.

Like Kroger, law firm Jones Day said its IT systems were not impacted by Accellion's breach. However, DataBreaches.net reported threat actors behind the Clop ransomware have obtained data from Jones Day.

Clop operators previously targeted Germany-based Software AG in October. The company's customer data was not impacted though in response, Software AG "shut down the internal systems in a controlled manner in accordance with the company's internal security regulations." The actors demanded a $20 million ransom.

A Clop spokesperson told DataBreaches.net the group directly hacked Jones Day "where the Accellion was and took the data from there." From there the hackers "spammed the company but didn't engage with their invitations for communication.

Clop operators said they did not encrypt Jones Day's files, however, reported Vice.

In recent days Clop actors have published data from Accellion customers including Singtel and Jones Day, reported Risky.boz.