Kroger customer, employee data exposed in third-party data breach

A hack of a data file transfer services provider resulted in unauthorized access to personal information of some Kroger shoppers and workers.

In a public statement, Kroger disclosed the security incident affecting Accellion Inc. 

According to the grocer, on Jan. 23, 2021, Accellion gave notice that in December 2020, an unauthorized person gained access to certain Kroger files by exploiting a vulnerability in Accellion's file transfer service. Kroger had been using a hosted file transfer solution from Accellion called FTA.

Kroger says the incident was isolated to Accellion's services and did not affect the IT systems or any grocery store systems or data of any of its banners. Although the retailer believes that no credit or debit card information or customer account passwords were affected by this incident, Cincinatti.com reports that data including customer names, home and email addresses, phone numbers, dates of birth, Social Security numbers, prescription information, and information used for processing insurance claims was exposed.

After being informed of the incident, Kroger discontinued the use of Accellion’s services, reported the breach to federal law enforcement, and initiated an internal forensic investigation. Based on the information provided by Accellion and its own investigation, Kroger believes that less than 1% of its customers, specifically customers of its health and money services, have been impacted. Kroger is notifying affected customers, as well as current and former employees with HR records that were impacted.

Kroger says it has “no indication of fraud or misuse of personal information as a result of this incident,” but out of caution is offering free credit monitoring to all affected individuals. The company is maintaining a webpage with information updates.