Kroger Company reveals it was one of the numerous victims of a data breach involving the file-transfer service of a third-party provider. The Cincinnati-based company has 2,750 retail grocery stores and 2,200 pharmacies nationwide.
Kroger said it has suffered from the December hack of the FTA file-transfer product developed by Accellion, a California-based cloud solutions company. To exchange vast volumes of data and heavy email attachments, businesses use Accellion's file-transfer product.
Kroger released a statement on their website about the data breach incident. It claimed that grocery store data or Kroger IT data were not affected by the hack. Besides, credit or debit cards, including digital wallet details or consumer account passwords, were not compromised.
The company was notified on January 23 of the data breach incident and subsequently stopped using Accellion's services. Accellion said that by exploiting a vulnerability in the file transfer service, an unauthorized person gained access to some Kroger files.
In the statement, Kroger said that fewer than 1% of its customers were impacted. Specifically, those affected are using its Health and Money Services, and some current and former employees, since several staff documents were viewed.
Accellion has over 3,000 clients around the world. The product affected was said to be 20 years old and approaching the end of its life. On February 1, the company said that it had fixed all identified bugs in the FTA.
According to Cincinnati.com, the data breach warning was issued as a violation of the federal health law, Healthcare Insurance Portability and Portability Act of 1996 (HIPPA).
Kroger is providing anyone affected by the breach with free comprehensive credit monitoring. Also, customers and associates potentially affected are in the process of being informed by the company via mail notices.
The incident has been reported to federal law enforcement. Kroger began its investigation into the possible extent and result of the breach of data.
Based on Kroger's investigation and the information given by Accellion, the records obtained included the following data: patient names, contact numbers, dates of birth, home addresses, email addresses, social security numbers, insurance claims, and prescriptions.
Kroger listed beneficiaries of The Kroger Co. Health and Welfare Benefit Plan, and The Kroger Co. Retiree Health and Welfare Benefit Plan, as victims of the incident. Moreover, The Little Clinic, Kroger Pharmacies, and its other family of pharmacies run by Fred Meyer Stores Inc. and Ralphs Grocery Company might be potentially affected as well.
