BOSTON – Kroger Co. says personal information, including social security numbers of some of its pharmacy and clinic customers, may have been stolen during the hack of a third-party file transfer service.
The Cincinnati-based grocery and pharmacy chain, with subsidiaries Fred Meyer and QFC in the Pacific Northwest, said in a statement Friday that it believes less than 1% of its customers were affected – particularly some who took advantage of its Health and Money. Services – also like some current and former employees because apparently a number of personnel files have been viewed.
It says it will notify those who may be affected and offer free credit monitoring.
Kroger said the breach did not affect the IT systems of Kroger stores or the systems or data of supermarkets, and there is no evidence of fraud with access to personal data so far.
The company, which has 2,750 supermarkets and 2,200 pharmacies nationwide, said on Sunday in response to inquiries from The Associated Press that an investigation into the extent of the hack was underway.
A Kroger spokeswoman said via email that affected patient information may include “names, email addresses, phone numbers, home addresses, dates of birth, social security numbers,” as well as information on health insurance, prescriptions and medical history.
Federal law requires organizations that process personal health information to notify the Department of Health and Human Services of any data breaches.
Kroger said it was one of the victims of the December hack of a file transfer product called FTA, developed by Accellion, a California-based company, and that it was made aware of the incident on January 23, when it discontinued use of Accellion’s services. Businesses use the file transfer product to share large amounts of data and large email attachments.
Accellion has more than 3,000 customers worldwide. The affected product is said to be 20 years old and nearing the end of its useful life. The company said on Feb. 1 that it had fixed all known FTA vulnerabilities.
Other Accellion clients affected by the hack include the University of Colorado, the Washington State Auditor, Australia’s Financial Regulator, the Reserve Bank of New Zealand, and the prominent US law firm Jones Day.
The hack was particularly serious for the Washington State auditor. Files on 1.6 million claims obtained in the mass unemployment fraud investigation last year came to light.
In Day’s case, cyber criminals who sought to extort the law firm dumped an estimated 85 gigabytes of data online that they claimed was stolen.
Former President Donald Trump is one of Day’s clients, but the criminals told the AP via email that none of the data was related to him. The AP approached the criminals with questions via email on the dark website where they posted documents stolen from the law firm.
It is not known whether the criminals who extort Day were also responsible for the Accellion hack.