It’s hard to turn a blind eye when news drops of another data breach. And when it’s a breach that jeopardized company and stakeholders’ personal data, compromised during a file transfer process, those of us at Coviant Software can’t ignore it. Especially since it affected a number of well-known organizations, including the Kroger supermarket chain and Royal Dutch Shell (parent of Shell gas stations). We sat up, read the reports, and paid attention.
As an outsider looking in, it’s always difficult to know the details of any data breach. And, as a software company with our own managed file transfer services, we want to make sure not to appear to be throwing stones. Organizations affected by a breach often have legal considerations preventing them from discussing exactly what went wrong, and experts can only make speculative statements based on their experiences with other, similar incidents.
It is, however, important to stay informed. It’s also understood that any incident, originally affecting a specific product, ends up affecting all similar products by association. Such events hit close to home, and always prompt questions of re-evaluation from business partners, prospective customers, and consumers.
According to a report from TechRepublic, the file transfer appliance that was breached in the Kroger case was a twenty year-old piece of legacy hardware that had been rendered obsolete when the appliance’s operating system was discontinued by its maker in 2020 after having made the announcement a year earlier.
Hackers pay attention to the details of such developments. They know that when software is encroaching on its end-of-life, resources (that are normally dedicated to keeping the product safe) will be shifted to whatever new product is taking its place. This shift can make it less likely for vulnerabilities associated with the software to be discovered and patched, giving room for exploitation. In this case, criminal hackers were able to compromise the appliance using a common SQL injection attack, as stated in the report from TechRepublic.
One security expert told TechRepublic that, to guard against such attack, organizations should “do a closer analysis of any legacy/near-end-of-life products which may no longer be receiving the expected vulnerability testing efforts.” That’s good advice. This also relates to the fact that there has been a lot of consolidation in the managed file transfer market recently because the relationship an enterprise once relied on may fundamentally change due to new ownership. Under such circumstances it is not unusual to find that prices rise, account managers change, support loosens, and that the MFT service becomes a feature of a bigger platform—or even obsoleted in favor of another product in the acquiring company’s portfolio.
Informing a customer that a certain product will soon be obsolete and will, therefore, be replaced is the right thing to do, but that doesn’t mean it’ll happen. After all, telling a customer that they’ll no longer be able to use a product they’ve come to rely on is an awkward conversation to have. So, while it may be incumbent on vendors to make sure their customers are aware of any impending changes that could affect their security, it ultimately falls in your hands to stay vigilant and take primary responsibility for your own security.
No organization will ever be perfect; however, in the business of helping others keep their data safe (it doesn’t matter if it’s a multi-billion-dollar technology vendor or a smaller firm like Coviant) the root responsibility of treating your customer relationships as more than merely transactional still stands. There’s a delicate trust that needs to be maintained through the transparency about issues that could potentially affect data integrity. And that’s always been Coviant’s commitment to our customers.