Kroger Notifies Customers and Associates of Data Breach Incident


Kroger is notifying customers of a data breach, two months after the supermarket chain’s file transfer service Accellion disclosed a cyberattack.

The supermarket giant is the latest victim of the zero-day vulnerability exploited by malicious actors in the December 23 attack. Although Accellion released a patch for the vulnerability within 72 hours of its discovery, cybercriminals quickly capitalized on the exploit, stealing confidential information from multiple companies that use their FTA file-transfer service.

According to a data breach security notification, the incident did not impact Kroger’s IT systems directly, and no financial information of customers was compromised.

“The incident was isolated to Accellion’s services and did not affect Kroger’s IT systems or any grocery store systems or data,” the advisory reads. “No credit or debit card (including digital wallet) information or customer account passwords were affected by this incident. After being informed of the incident’s effect on January 23, 2021, Kroger discontinued the use of Accellion’s services, reported the incident to federal law enforcement, and initiated its own forensic investigation to review the potential scope and impact of the incident.”

However, the preliminary investigation shows that employee data, pharmacy records and money services records may have been exposed. Although Kroger’s data security incident page lacks a detailed description of compromised data, we can speculate as to the nature of potentially stolen information based on past security incidents.

For example, pharmacy records may include diverse personal and health information, including customer name, address, contact information, prescription data, and health plan. In some instances, this information can also include highly  sensitive data such as Social Security numbers.

Kroger said it is contacting all potentially impacted customers or “associates” via email and that, as a preventive identity theft measure, it will provide a free year of credit monitoring.

“While at this time we have no indication of fraud or misuse of personal information as a result of this incident, we are offering free credit monitoring to all impacted individuals out of an abundance of caution,” Kroger’s data breach advisory explains.

Were you a victim of a data breach? Find out with Bitdefender’s Digital Identity Protection tool.