Kroger Co. said in a statement Friday that personal data, including Social Security numbers of some of its pharmacy and clinic customers, may have been stolen in the hack of a third-party vendor’s file-transfer service. The third-party vendor, Accellion, was used by Kroger as well as many other companies for secure third-party file transfers. Accellion notified Kroger that an unauthorized person gained access to certain Kroger files by exploiting a vulnerability in Accellion's file transfer service.
Kroger said it believes less than 1 percent of its customers were affected — specifically some using its Health and Money services — as well as some current and former employees because a number of personnel records were apparently viewed. The grocery and pharmacy chain said it's notifying those potentially impacted, offering free credit monitoring services. Kroger said the breach didn't affect the company's store IT systems or grocery store systems or data, and there has so far been no indication of fraud involving accessed personal data.
Total Retail's Take: Kroger is taking the hack very seriously, as it should. In addition to discontinuing the use of Accellion's services, reporting the incident to federal law enforcement, and initiating its own forensic investigation to review the scope and impact of the breach, Kroger also published the following statement: "Protecting data is a priority for the Kroger Family of Companies and it is directly contacting all customers and associates who may have been affected to inform them of the incident. While Kroger has no indication of fraud or misuse of personal information as a result of this incident, out of an abundance of caution Kroger has arranged to offer credit monitoring to all affected individuals at no cost to them."