The Kroger Co. Family of Companies has confirmed that it was impacted by the data security incident affecting Accellion Inc.
Accellion’s services were used by Kroger, as well as many other companies, for third-party secure file transfers. Accellion notified Kroger that an unauthorized person gained access to certain Kroger files by exploiting a vulnerability in Accellion’s file transfer service.
The incident was isolated to Accellion’s services and did not affect the Kroger Family of Companies’ IT systems or any grocery store systems or data. No credit or debit card information or customer account passwords were affected by this incident. After being informed of the incident’s effect on Jan. 23, Kroger discontinued the use of Accellion’s services, reported the incident to federal law enforcement and initiated its own forensic investigation to review the potential scope and impact of the incident.
At this time, based on the information provided by Accellion and its own investigation, Kroger believes that less than 1 percent of its customers, specifically customers of Kroger Health and Money Services, have been impacted. In addition, current and certain former associates will be notified that certain HR records have been impacted.
Protecting data is a priority for the Kroger Family of Companies and it is directly contacting all customers and associates who may have been affected to inform them of the incident. While Kroger has no indication of fraud or misuse of personal information as a result of this incident, out of an abundance of caution Kroger has arranged to offer credit monitoring to all affected individuals at no cost to them.
Additional information and future updates can be found at Kroger.com/AccellionIncident.
The Cincinnati, Ohio-based The Kroger Cos. has nearly half a million associates who serve over 60 million customers under a variety of banner names.