Accellion Hack Shows Need to Plan for Third-Party Crises

Thom Weidlich 02.25.21


Supermarket chain Kroger Co. is one of the latest companies to reveal that it’s a victim of the data breach at file-sharing vendor Accellion Inc. Kroger’s statement was more forthcoming than others we’ve seen. The situation is a reminder that companies must prepare for crises that stem from outfits they do business with.

Cincinnati-based Kroger on Feb. 19 issued a press release announcing that Accellion had told it about the breach on Jan. 23. It immediately dropped the service, told law enforcement and launched its own probe. Its investigation showed that less than 1 percent of its Kroger Health and Money Services clients were impacted, it said.

In the release, the company emphasized that the issue was limited to Accellion’s services and didn’t affect Kroger’s IT systems or those of its grocery stores, so no payment card information was affected. It included a typical — and necessary — affirmation that it takes data security seriously.

Kroger didn’t say anything about whether the hackers made an extortion demand to not publish pilfered data, as they have with some victims.

“While Kroger has no indication of fraud or misuse of personal information as a result of this incident, out of an abundance of caution Kroger has arranged to offer credit monitoring to all affected individuals at no cost to them,” it wrote. While probably unneeded, that was a smart move; it shows it cares about its customers.

In another smart move, Kroger distanced itself from the third-party problem right in the headline, which opens with Accellion’s name rather than its own: “Accellion Security Incident Impacts Kroger Family of Companies Associates and Limited Number of Customers.”

Legacy Product

Accellion, based in Palo Alto, California, publicly announced the breach on Jan. 12. The problem was with a 20-year-old legacy product that organizations use to transfer large files. Accellion said it resolved the problem, which affected fewer than 50 customers, in less than three days. It said its newer product has no such issues and it encouraged companies to upgrade to it.

Other victims of the Accellion hack reportedly include law firm Jones Day, the Reserve Bank of New Zealand and the Washington State Auditor’s Office.

The incident shows that crises can arise from relationships companies have with vendors and other outsiders. Potential scenarios related to this should be a part of any crisis plan. And since we now all have our heads in the “cloud,” this may be especially true when it comes to computers.

As UK news site Dark Reading wrote in December, in a roundup of major third-party computer intrusions last year: “With third-party breaches from vendors and other outside entities rising while regulations and laws are enacted to extract ever greater penalties from such breaches, proper Third-Party Risk Management (TPRM) is more important than ever.”

That goes for communicating, too.

Image Credit: Alexander Alexanderov/Shutterstock

Sign up for our free weekly newsletter on crisis communications. Each week we highlight a crisis story in the news or a survey or study with an eye toward the type of best practices and strategies you can put to work each day. Click here to subscribe.

Related:Bloomberg Provides Snapshot of International Breach-Notification RiskNew Book Offers Considerations for Communicating Data Breaches