Information About the Accellion Incident

Kroger has confirmed that it was impacted by the data security incident affecting Accellion, Inc. Accellion’s services were used by Kroger, as well as many other companies, for third-party secure file transfers. Accellion notified Kroger that an unauthorized person gained access to certain Kroger files by exploiting a vulnerability in Accellion’s file transfer service.

Here are the facts as we understand them: The incident was isolated to Accellion’s services and did not affect Kroger’s IT systems or any grocery store systems or data. No credit or debit card (including digital wallet) information or customer account passwords were affected by this incident. After being informed of the incident’s effect on January 23, 2021, Kroger discontinued the use of Accellion’s services, reported the incident to federal law enforcement, and initiated its own forensic investigation to review the potential scope and impact of the incident.

Kroger has no indication of fraud or misuse of personal information as a result of this incident. However, Kroger is directly notifying potentially impacted customers and associates through mail notices and offering free comprehensive credit monitoring to those individuals out of an abundance of caution.

We have included below additional information about Accellion’s incident and the impact on Kroger customers and associates, as well as the steps we are taking to assist potentially impacted individuals. If you have additional questions about the incident, we encourage you to call our dedicated call center at 1 (855) 558-2999 between 6:00 AM – 8:00 PM PT (Monday through Friday) and 8:00 AM – 5:00 PM PT (Saturday and Sunday).

Frequently Asked Questions

    We were recently made aware that Kroger customers and associates were affected by the Accellion data security incident. Accellion is a vendor whose services were used by Kroger and many other companies for third-party secure data file transfers.

    After being informed of the incident’s effect on January 23, 2021, Kroger discontinued the use of Accellion’s services, reported the incident to federal law enforcement, and initiated its own forensic investigation to review the potential scope and impact of the incident. Kroger’s own IT systems have not been affected by this incident. No grocery store data or systems, credit or debit card (including digital wallet) information, or customer account passwords were impacted. However, Kroger believes certain associate HR data, certain pharmacy records, and certain money services records have been affected.

    Accellion is a vendor that provides secure third-party data file transfer services to over 3,000 customers around the world.

    After being informed of the incident, Kroger discontinued the use of Accellion’s services, reported the incident to federal law enforcement, and initiated its own forensic investigation to review the potential scope and impact of the incident. Kroger’s own IT systems have not been affected by this incident. No grocery store data or systems, credit or debit card (including digital wallet) information, or customer account passwords were impacted. However, Kroger believes certain associate HR data, certain pharmacy records, and certain money services records have been affected.

    Kroger is in the process of contacting potentially impacted customers and associates to inform them of the incident. While at this time we have no indication of fraud or misuse of personal information as a result of this incident, we are offering free credit monitoring to all impacted individuals out of an abundance of caution.

    At this time, based on the information provided by Accellion and our own investigation, Kroger believes the categories of affected data may include certain associates’ HR data, certain pharmacy records, and certain money services records. Importantly, there was no impact to grocery store data or systems; credit or debit card information; or customer account passwords.

    No. The incident was isolated to Accellion’s product and did not affect Kroger’s own IT systems.

    There was no impact to grocery store data or systems.

    No credit or debit card (including digital wallet) information was affected by this incident.

    Kroger is in the process of directly contacting potentially impacted customers and associates via mail notices to inform them of the incident. You will be receiving information if you are in that category.

    At this time, Kroger has no indication of fraud or misuse of personal information as a result of this incident.

    If you have additional questions about the incident, we encourage you to call our dedicated call center at 1 (855) 558-2999 between 6:00 AM – 8:00 PM PT (Monday through Friday) and 8:00 AM – 5:00 PM PT (Saturday and Sunday).