Kroger Hit by Breach, No Customer Data Misused

kroger data breach

Major grocer Kroger said it hit by a cyberattack, but that no personal shopper data or credit card information was misused, in an incident that also hit government entities in New Zealand and Australia, a U.S. college, a state’s auditor and a prominent law firm, AP reports.

What may have been stolen, Kroger said, was its HR data and pharmacy records. The attack targeted Accellion, a provider of file transfer technology used by Kroger. According to AP, the company said its system was 20 years old and nearing the end of its lifecycle. Kroger was notified of the breach on Jan. 23, when it discontinued its use, and all know vulnerabilities were patched by Feb. 1.

Cincinnati-based Kroger, which operates nearly 3,000 stores, told the AP it believes less than 1% of customers were affected, specifically those using its health and money services. Personnel records of current and former employees were also apparently viewed. The Accellion product in question is called File Transfer Appliance (FTA), which lets customers share large, sensitive files too large for email.

Law firm Jones Day, whose clients include former president Donald Trump, was also a victim of the breach, but the criminals told the AP none of the 85 gigabytes of dumped data was related to him.

Some of the major data breaches so far in 2021 include ecommerce brand Bonobos, owned by Walmart (data from 7 million customers), Facebook, LinkedIn and Instagram (all in a single incident involving 214 million users) and wireless carrier U.S. Cellular (records of 4.9 million customers), according to IdentityForce.