Grocery and pharmacy chain Kroger has started informing customers and associates of a data breach involving Accellion’s file transfer service FTA.
The Cincinnati-based retail company operates more than 2,900 locations across 35 states and the District of Columbia, including department stores, hypermarkets, jewelry stores, supermarkets, and superstores.
In a data breach notification on its website, the company says that a data security incident involving Accellion’s FTA service has resulted in unauthorized access to certain Kroger data.
According to Kroger, information that might have been affected by the incident includes associates’ HR data, pharmacy records, and money services records.
“No grocery store data or systems, credit or debit card (including digital wallet) information, or customer account passwords were impacted,” the company underlines.
Kroger said it was informed of the incident on January 23 and that it has since discontinued the use of FTA, launched an investigation into the incident, and also contacted federal law enforcement on the matter.
“Kroger has no indication of fraud or misuse of personal information as a result of this incident. However, Kroger is directly notifying potentially impacted customers and associates through mail notices,” the company says.
Meant to provide secure file transfers, the FTA service was found recently to be riddled with vulnerabilities that allowed adversaries to access certain information of Accellion’s customers.
Less than 50 organizations were using the file sharing service in mid-December, when the first vulnerabilities were discovered, but the number of affected individuals has at least seven figures.
Accellion has formally announced plans to retire FTA, a 20-year-old service, saying that it would honor ongoing license agreements past the end-of-life point, which has been set for April 30, 2021.
The Australian Securities and Investments Commission (ASIC), the Office of the Washington State Auditor (SAO), the Reserve Bank of New Zealand, and Singapore telecoms firm Singtel were among the organizations affected by the cyber-attack on FTA.
Prominent U.S.-based law firm Jones Day was also affected, and some of the information stolen from the organization was recently leaked online by the Clop ransomware gang, which is believed to be linked to the financially-motivated, Russian-speaking group known as TA505 and Hive0065.
Related: Enterprise Solutions Provider ‘Software AG’ Hit by Clop Ransomware
Related: Clothing Brand Bonobos Notifies Users of Data Breach
Related: Kawasaki Says Data Possibly Stolen in Security Breach