Kroger has reported a data breach that could include social security numbers of customers who use the grocer's pharmacy services.
But Kroger said consumer payment information had not been compromised. Even so, the incident provides fresh warning for food retailers that as data becomes more digital and voluminous, criminals have more opportunity to steal valuable information.
The breach involved Accellion, whose technology is used by retailers for third-party secure file transfers. Accellion notified Kroger that an unauthorized person gained access to certain Kroger files by exploiting a vulnerability in Accellion's file transfer service.
According to Kroger, the incident was isolated to Accellion’s services and did not affect Kroger’s IT systems or any grocery store systems or data. No credit or debit card (including digital wallet) information or customer account passwords were affected by this incident. After being informed of the incident’s effect on Jan. 23, Kroger discontinued the use of Accellion’s services, reported the incident to federal law enforcement, and initiated its own forensic investigation to review the potential scope and impact of the incident.
At this time, based on the information provided by Accellion and its own investigation, Kroger believes that less than 1% of its customers, specifically customers of Kroger Health and Money Services, have been impacted. In addition, current and certain former associates will be notified that certain HR records have been impacted.
Protecting data is a priority for the Kroger Family of Companies and it is directly contacting all customers and associates who may have been affected to inform them of the incident. While Kroger has no indication of fraud or misuse of personal information as a result of this incident, out of an abundance of caution Kroger has arranged to offer credit monitoring to all affected individuals at no cost to them.
Earlier this year, Hy-Vee said it had reached a preliminary settlement agreement in a class action brought by customers whose credit and debit card information was exposed as a result of a huge data breach at some of the company’s stores, according to a published report.
In Aug. 2019, Hy-Vee revealed the existence of a data breach affecting customers who used debit and credit cards at its fuel pumps, drive-thru coffee shops and restaurants. Locations across the grocer’s eight-state Midwestern market area were affected by the breach, which lasted between seven to eight months, starting in Dec. 2018 at some locations. Information from more than 5.3 million debit and credit cards was compromised over that time.
Cincinnati-based Kroger employs nearly half a million associates who serve more than 11 million customers daily through a seamless digital shopping experience and 2,800 retail food stores under a variety of banner names. The company is No. 3 on The PG 100, Progressive Grocer’s 2020 list of the top food and consumables retailers in North America. West Des Moines, Iowa-based Hy-Vee, the parent company of Vivid Clear Rx, operates more than 275 retail stores and is No. 33 on PG's list.