ATLANTA — RaceTrac Petroleum said on Monday that the chain and its customers have been affected by a security incident involving one of its third-party service providers, Accellion Inc., that occurred in late December and into January.
“By exploiting a previously undetected software vulnerability, unauthorized parties were able to access a subset of RaceTrac data stored in the Accellion File Transfer Service, including email addresses and first names of some of the company’s RaceTrac Rewards Loyalty users,” the company said in a statement posted on its website.
Accellion resolved the vulnerability and released a patch within 72 hours to the approximately 50 customers affected, the Palo Alto, Calif., firm said.
The breach is an example of a new extortion tactic by ransomware gangs—emailing the victim’s customers directly and warning that their data will be leaked to the dark web unless they can convince the victim firm to pay up, according to a report by Krebs on Security.
“Good day! If you received this letter, you are a customer, buyer, partner or employee of [victim],” the email sent to a RaceTrac rewards program member and obtained by Krebs on Security reads. “The company has been hacked, data has been stolen and will soon be released as the company refuses to protect its peoples’ data.”
Several gigabytes of the company’s files, including employee tax and financial records, have been posted to the victim shaming site for the Clop ransomware gang, the report said.
“This incident was limited to the aforementioned Accellion services and did not impact RaceTrac’s corporate network,” RaceTrac’s statement said. “The systems used for processing guest credit, debit and RaceTrac Rewards transactions were not impacted.”
RaceTrac has notified law enforcement and is continuing to investigate the hacking incident with Accellion and third-party security partners. If the company discovers any compromise to sensitive data of its partners, customers or employees, it will notify them of the affected records in accordance with the law, it said.
“We apologize for any inconvenience this incident may have caused,” said RaceTrac. “RaceTrac guests can be assured that we take the security of their personal information seriously. Data theft is pervasive, and, like retailers everywhere, we are continually working with our partners and law enforcement to evaluate and update our security measures to keep guests protected. We want to make shopping with us enjoyable, easy and safe. RaceTrac works closely with our third-party partners to better protect our guests and their personal information. If you receive unsolicited email requests alleging to be related to this incident, we encourage you to handle them with care and avoid responding or clicking embedded links.”
Shell Oil, based in The Netherlands, was also affected by the Accellion incident, it said in a statement posted on its corporate website, and it is investigating the breach. “There is no evidence of any impact to Shell’s core IT systems as the file transfer service is isolated from the rest of Shell’s digital infrastructure. The ongoing investigation has shown that an unauthorized party gained access to various files during a limited window of time. Some contained personal data and others included data from Shell companies and some of their stakeholders. Shell is in contact with the impacted individuals and stakeholders and we are working with them to address possible risks.”
Atlanta-based RaceTrac has been serving customers since 1934 and now operates more than 560 convenience stores in Alabama, Georgia, Florida, Louisiana, Mississippi, Texas and Tennessee. The company is No. 15 in the 2021 Top 40 Update to the CSP’s2020 Top 202 ranking of c-store chains by store count.