Kroger made an announcement that it has encountered a data security incident, which exploited the SQL injection vulnerabilities found in its Accellion File Transfer Appliance (FTA). The Accellion FTA is an old appliance that was launched about 20 years ago as a secure file transfer tool for sharing big files that can’t be sent through email.
Accellion first discovered a zero-day vulnerability in the product in mid-December 2020, and then discovered three more vulnerabilities. A threat actor exploited some of the vulnerabilities to access the vulnerable devices. The hacker then put in a web shell that was employed to exfiltrate sensitive information.
In a press release by Accellion on February 22, 2021, it mentioned that Mandiant conducted an investigation of the security incident and traced the attacks to criminal hacker UNC2546. This particular code UNC2546 is associated with the FIN11 hacking group as well as the CL0P ransomware campaign.
In January, a number of Accellion FTA clients claimed to get ransom demands to retrieve stolen data. There were threats to post stolen information on the CL0P ransomware data leak website in case no ransom is paid. Accellion states about 300 clients utilize the Accellion FTA, less than 100 became victims of the attack, and less than 25 experienced substantial data theft. There was no ransomware used for the attacks.
Kroger was informed about the breach on January 23, 2021 and stopped using the Accellion FTA. Kroger did an internal investigation to find out which data the attackers potentially stole. According to Kroger, less than 1% of its clients were impacted, the majority of whom were clients of Kroger Health and Money Services, which include patients of the pharmacy and Little Clinic as well as the beneficiaries of its Retiree Health and Welfare Benefit Plan
and Health and Welfare Benefit Plan.
The patient data that was affected by the breach include patient names, birth dates, addresses, phone numbers, Social Security numbers, insurance claim data, prescribed medication details, and some medical history data. There was no financial data or customer account passwords compromised, and there was no information regarding the misuse of any client information. Kroger has provided free credit monitoring services to all clients affected by the breach.
Kroger has yet to report the incident to HHS’ Office for Civil Rights, thus the number of patients affected is still unclear.