Information About the Accellion Incident
The Kroger Family of Companies ("Kroger") has confirmed that it was impacted by the data security incident affecting Accellion, Inc. Accellion’s services were used by Kroger, as well as many other companies, for third-party secure file transfers. Accellion notified Kroger that an unauthorized person gained access to certain Kroger files by exploiting a vulnerability in Accellion’s file transfer service.
Here are the facts as we understand them:
The incident was isolated to Accellion’s services and did not affect Kroger’s own IT systems, including its grocery store systems. However, the Accellion software was used for secure file transfers of certain HR data and pharmacy and clinic customer information. The impacted data varies by individual, and we are notifying impacted customers and associates directly by mail (USPS) to make them aware of what sensitive data may have been impacted for them. Approximately 2% of our customers were impacted. Our investigation has concluded, and we can confirm non-sensitive information, including information about our loyalty program for coupons and product discounts, was also impacted. This incident did not impact customer passwords, credit or debit card or digital wallet information.
At this time, Kroger has no indication of fraud or misuse of personal information as a result of this incident. However, out of an abundance of caution, Kroger has arranged to offer credit monitoring to any impacted individual at no cost to them.
We have included below additional information about Accellion’s incident and the impact on Kroger customers and associates, as well as the steps we are taking to assist potentially impacted individuals. If you have additional questions about the incident, we encourage you to call 1-800-KROGERS (576-4377).