Kroger is latest victim of third-party software data breach
Kroger Co. says it was among the multiple victims of a data breach involving a third-party vendor’s file-transfer service and is notifying potentially impacted customers, offering them free credit monitoring.
The Cincinnati-based grocery and pharmacy chain said in a
statement Friday that it believes less than 1% of its customers were affected —
specifically some using its Health and Money Services — as well as some current
and former employees because a number of personnel records were apparently
viewed.
Kroger said the breach did not affect Kroger stores’ IT
systems or grocery store systems or data and there was no indication that fraud
involving accessed personal data had occurred.
The company, which has 2,750 grocery retail stores and 2,200
pharmacies nationwide, did not immediately respond to questions including how
many customers might have been affected.
Kroger said it was among victims of the December hack of a
file-transfer product called FTA developed by Accellion, a California-based
company, and that it was notified of the incident on Jan. 23, when it
discontinued use of Accellion’s services. Companies use the file-transfer
product to share large amounts of data and hefty email attachments.
Accellion has more than 3,000 customers worldwide. It has
said that the affected product was 20 years old and nearing the end of its
life. The company said on Feb. 1 that it had patched all known FTA
vulnerabilities.
Other Accellion customers affected by the hack include the
University of Colorado, Washington State’s auditor, Australia’s financial
regulator, the Reserve Bank of New Zealand and the prominent U.S. law firm
Jones Day.
For Washington State’s auditor, the hack was particuarly
serious. Exposed were files on 1.6 million claims obtained in its investigation
of massive unemployment fraud last year.
In the case of Jones Day, cybercriminals seeking to extort
the law firm dumped an estimated 85 gigabytes of data online they claimed to
have stolen.
Former President Donald Trump is among Jones Day clients but
the criminals told The Associated Press via email that none of the data was
related to him.
Comments
Post a Comment