Kroger Co. says it was one of several victims of a data breach involving a third-party file transfer service
BOSTON – Kroger Co. says it was one of several victims of a data breach involving a third-party file transfer service, and is alerting affected customers by offering them free credit monitoring.
The Cincinnati-based supermarket and pharmacy chain said in a statement Friday that it believes less than 1% of its customers were affected – particularly some who used its health and money services – as well as some current and former employees because of a number of employee records. was apparently being watched.
Kroger said the breach did not affect the IT systems of Kroger stores or the systems or data of supermarkets, and there was no evidence of fraud with access to personal data.
The company, which has 2,750 supermarkets and 2,200 pharmacies nationwide, did not immediately respond to questions about how many customers may have been affected.
Kroger said it was one of the victims of the December hack of a file transfer product called FTA, developed by Accellion, a California-based company, and that it was made aware of the incident on January 23, when it discontinued use of Accellion’s services. Businesses use the file transfer product to share large amounts of data and large email attachments.
Accellion has more than 3,000 customers worldwide. The affected product is said to be 20 years old and nearing the end of its useful life. The company said on Feb. 1 that it had fixed all known FTA vulnerabilities.
Other Accellion clients affected by the hack include the University of Colorado, the Washington State Auditor, Australia’s Financial Regulator, the Reserve Bank of New Zealand, and the prominent US law firm Jones Day.
The hack was particularly serious for the Washington State auditor. Files on 1.6 million claims obtained in the mass unemployment fraud investigation last year came to light.
In the case of Jones Day, cyber criminals who sought to extort the law firm dumped an estimated 85 gigabytes of data online that they claimed was stolen.
Former President Donald Trump is one of Jones Day’s clients, but the criminals told The Associated Press via email that none of the data related to him.