RaceTrac & Shell Impacted by Third-Party Cybersecurity Incident

Unauthorized parties accessed certain data stored in Accellion's File Transfer Appliance.

ATLANTA and HOUSTON — RaceTrac Petroleum Inc. and Shell Oil Co. announced they have been impacted by a security incident affecting third-party service provider Accellion Inc., a technology company that specializes in secure file sharing and collaboration.

RaceTrac stated that unauthorized parties were able to access a subset of RaceTrac data stored in the Accellion File Transfer Appliance by exploiting a previously undetected software vulnerability. This includes email addresses and first names of some RaceTrac Rewards loyalty users.

The incident was limited to Accellion services and did not impact RaceTrac's corporate network. Additionally, the systems used for processing guest credit, debit and RaceTrac Rewards transactions were not impacted.

The convenience store retailer notified law enforcement and is continuing to investigate the incident with Accellion and third-party security partners. If it discovers any compromise to sensitive data of its spartners, customers or employees, RaceTrac will notify them of the impacted records in accordance with applicable law, the company said.

"We apologize for any inconvenience this incident may have caused. RaceTrac guests can be assured that we take the security of their personal information seriously," the company wrote in a released statement. "Data theft is pervasive, and, like retailers everywhere, we are continually working with our partners and law enforcement to evaluate and update our security measures to keep guests protected. We want to make shopping with us enjoyable, easy and safe. RaceTrac works closely with our third-party partners to better protect our guests and their personal information."

Atlanta-based RaceTrac operates more than 560 c-stores across Alabama, Georgia, Florida, Louisiana, Mississippi, Texas and Tennessee.

Shell stated that upon learning of the incident involving Accellion's File Transfer Appliance, which it uses to securely transfer large data files, it addressed the vulnerabilities with its service provider and cyber security team, and began an investigation to better understand the nature and extent of the incident. It found no evidence of any impact to Shell's core IT systems, as the file transfer service is isolated from the rest of Shell's digital infrastructure.

The ongoing investigation found that an unauthorized party gained access to various files during a limited window of time. Some of the files contained personal data, while others included data from Shell companies and some of their stakeholders. The company is in contact with the impacted individual and stakeholders, and is working with them to address possible risks. It has also been in contact with relevant regulators and authorities and will continue to do so as the investigation continues, the company said.

"Cyber security and personal data privacy are important for Shell and we work continuously to improve our information risk management practices," Shell stated. "We will continue to monitor our IT systems and improve our security. We regret the concern and inconvenience this may cause affected parties."

Houston-based Shell Oil is an affiliate of Royal Dutch Shell plc, a global group of energy and petrochemical companies with operations in more than 70 countries. In the United States, Shell operates more than 13,000 Shell-branded stations across 50 states.

According to Accellion, around 100 of its 300 customers that were running File Transfer Appliance servers were attacked, and data was stolen from approximately 25 of them, reported Industrial Safety and Security Source.

Other victims in the security breach include Kroger, which reported that data from some pharmacy customers was stolen, and Transport for NSW, leading transport and roads agency in New South Wales, Australia.