It has been reported that Kroger Co. has announced it was among the victims of a data breach involving Accellion’s file-transfer service. The company believed that only 1% of its customers were affected and are being notified of the breach. Kroger said it was among victims of the December hack of a file-transfer product called FTA developed by Accellion, and that it was notified of the incident on 23 January, when it discontinued the use of Accellion’s services. Commenting on the news are the following cybersecurity experts:
<p>One interesting aspect of data security incidents is that they aren’t necessarily one-off events. Given that many enterprises depend on the same tools or software within their IT infrastructures, when a vulnerability in a core tool is exposed, a domino effect of incidents takes place as various organizations announce the effect on them and their customers.</p> <p> </p> <p>This is the case with the ongoing Accellion file-transfer breach. Kroger is the latest organization to announce that it was affected by this incident. By all accounts, when they became aware of the situation back in January, they ceased usage of the software in question and have performed their due diligence in analyzing the scope of their exposure and notifying customers accordingly. While they believe that less than 1% of their customers were affected, that’s still too many people whose personal, sensitive information may be compromised.</p> <p> </p> <p>The real solution to this problem for all companies who process and retain customers’ sensitive information is to reconsider just how data-centric their security posture really is. Are their protection methods enforcing borders and perimeters around stored data, or are they protecting the data itself? Data-centric security such as tokenization and format-preserving encryption obfuscates sensitive information so that even if it falls into the wrong hands, the sensitive meaning cannot be derived. Peoples’ identities are not exposed, and the data becomes worthless to threat actors. Situations like this one should make any conscientious enterprise stop, investigate, and determine whether its most sensitive data is really protected enough to prevent exposures like this.</p>
<p>It’s been a month from becoming aware of the breach to this wider disclosure, but it seems it’s been hard to establish who has been affected at all – leaving the company with the very tough decision on who to inform, and a challenge of meeting the timeliness of doing so.</p>
<div class=\"gmail_attr\" dir=\"ltr\">One of the most substantial security challenges organisations currently face is how to manage their legacy products. They may be built using older technologies and sometimes lack the security features that come with new languages and frameworks. Organisations should enforce their application security governance, risk, and compliance (GRC) policies on the portfolio of products they employ. This includes applying individual risk ratings to each application based on criteria including (but not limited to) the size of the customer base using the application, prevalence of application usage, whether the application is internet facing, the type of data it collects, and how that data is handled/stored, etc. From there, security controls need to be defined and applied as per the risk ratings that they imply.</div> <div dir=\"ltr\"> </div> <div> <p>Proper validation of these controls should be applied using a defense-in-depth strategy to protect critical data. In other words, implementing multiple layers of security controls throughout the application’s software development life cycle. Additionally, a vulnerability management policy should be in place to identify and eradicate existing vulnerabilities which may surface in the future as the world of application security and cybersecurity evolves.\"</p> </div>