Information About the Accellion Incident

The Kroger Family of Companies ("Kroger") has confirmed that it was impacted by the data security incident affecting Accellion, Inc. Accellion’s services were used by Kroger, as well as many other companies, for third-party secure file transfers. Accellion notified Kroger that an unauthorized person gained access to certain Kroger files by exploiting a vulnerability in Accellion’s file transfer service.

Here are the facts as we understand them:
The incident was isolated to Accellion’s services and did not affect Kroger’s own IT systems, including its grocery store systems. However, the Accellion software was used for secure file transfers of certain HR data and pharmacy and clinic customer information. The impacted data varies by individual, and we are notifying impacted customers and associates directly by mail (USPS) to make them aware of what sensitive data may have been impacted for them. Approximately 2% of our customers were impacted. Our investigation has concluded, and we can confirm non-sensitive information, including information about our loyalty program for coupons and product discounts, was also impacted. This incident did not impact customer passwords, credit or debit card or digital wallet information.

At this time, Kroger has no indication of fraud or misuse of personal information as a result of this incident. However, out of an abundance of caution, Kroger has arranged to offer credit monitoring to any impacted individual at no cost to them.

We have included below additional information about Accellion’s incident and the impact on Kroger customers and associates, as well as the steps we are taking to assist potentially impacted individuals. If you have additional questions about the incident, we encourage you to call 1-800-KROGERS (576-4377).

Frequently Asked Questions

    We were recently made aware that Kroger customers and associates were affected by the Accellion data security incident. Accellion is a vendor whose services were used by Kroger and many other companies for third-party secure data file transfers.

    After being informed of the incident’s effect on January 23, 2021, Kroger discontinued the use of Accellion’s services, reported the incident to federal law enforcement, and initiated its own forensic investigation to review the potential scope and impact of the incident. Kroger’s own IT systems have not been affected by this incident. Our investigation has concluded, and we can confirm that certain associate HR data, certain pharmacy records, and certain money services records have been affected. Non-sensitive information, including information about our loyalty program for coupons and product discounts was also impacted.

    Accellion is a vendor that provides secure third-party data file transfer services to over 3,000 customers around the world.

    After being informed of the incident, Kroger discontinued the use of Accellion’s services, reported the incident to federal law enforcement, and initiated its own forensic investigation to review the potential scope and impact of the incident. Kroger’s own IT systems have not been affected by this incident. Our investigation has concluded, and we can confirm that certain associate HR data, certain pharmacy records, and certain money services records have been affected. Non-sensitive information, including information about our loyalty program for coupons and product discounts was also impacted.

    Kroger started the process of contacting potentially impacted customers and associates on February 19 to inform them of the incident. While at this time we have no indication of fraud or misuse of personal information as a result of this incident, we are offering free credit monitoring to all impacted individuals out of an abundance of caution.

    Our investigation has concluded, and we can confirm that certain associate HR data, certain pharmacy records, and certain money services records have been affected. Non-sensitive information, including information about our loyalty program for coupons and product discounts was also impacted.

    No. The incident was isolated to Accellion’s product and did not affect Kroger’s own IT systems.

    Kroger started the process of directly contacting potentially impacted customers and associates on February 19 via mail notices (USPS) to inform them of the incident. You should receive information if you are part of the sensitive information group. Kroger’s own IT systems were not impacted. Non-sensitive information, including information about our loyalty program for coupons and product discounts was also impacted. No credit or debit card (including digital wallet) information was affected by this incident.

    No credit or debit card (including digital wallet) information was affected by this incident.

    Kroger started the process of directly contacting potentially impacted customers and associates on February 19 via mail notices (USPS) to inform them of the incident. You should receive information if you are part of the sensitive information group.

    At this time, Kroger has no indication of fraud or misuse of personal information as a result of this incident.

    If you have additional questions about the incident, we encourage you to call 1-800-KROGERS (576-4377).