Cyber Incident Victim: The Kroger Co.
Date:
Dec 2020
Location:
United States of America
Summary
Kroger experienced a data breach stemming from a compromise in Accellion's secure file-transfer service, which was exploited by threat actors to access sensitive information. The incident impacted certain human resources records, pharmacy data, and money services details, though grocery systems, payment card information, and customer passwords remained unaffected. The company discontinued use of the vulnerable service upon notification and initiated notifications to affected individuals, offering complimentary credit monitoring. This breach was part of a broader campaign targeting Accellion FTA users, with attackers stealing data from multiple organizations through the exploited vulnerability before a patch was deployed.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
Kroger, one of the world's largest retailers operating nearly 2,800 stores across 35 states, experienced a data breach stemming from a compromised third-party file transfer service. The incident originated from a zero-day vulnerability in Accellion's File Transfer Appliance (FTA) software, which threat actors actively exploited beginning in mid-December 2020. Accellion publicly disclosed the critical security flaw during that month and released an emergency patch on December 25, 2020. Kroger was notified by Accellion about the breach on January 23, 2021, prompting immediate discontinuation of the FTA service. Subsequent investigation revealed attackers exfiltrated sensitive information through this vulnerability before Kroger could apply the patch. The compromised data included human resources records pertaining to associates, pharmacy customer information, and money services records. Notably unaffected were Kroger's core grocery systems, payment card data, customer account credentials, and store operational networks.
Kroger confirmed the breach's scope through internal analysis coordinated with Accellion, determining no evidence of misuse for stolen data as of their February 2021 disclosure. The company initiated postal mail notifications to impacted individuals and offered twelve months of complimentary credit monitoring services. This incident formed part of a broader campaign targeting Accellion FTA users across multiple sectors, with attackers subsequently issuing ransom demands to some victims threatening public data release. Kroger emphasized the breach exclusively affected data processed through Accellion's platform rather than internal corporate systems. The retailer maintained normal business operations throughout the incident response period while collaborating with cybersecurity professionals to assess residual risks. Accellion's widespread deployment among enterprises and government entities led security analysts to anticipate further breach disclosures from other organizations beyond the initial wave.