BOSTON – Kroger Co says personal data, including the social security number of some of the pharmacy and clinic customers, may have been stolen in the hack of a third-party provider’s file transfer service.
The Cincinnati-based grocery and pharmacy chain, which includes subsidiaries Fred Meyer and QFC in the Northwest Pacific, said in a statement Friday that it believes less than 1% of its customers are affected – especially some use its health and money services – as well as some current and former employees because a number of staff records have apparently been viewed.
It says it notifies those who may be affected and offers free credit monitoring.
Kroger said the breach does not affect the IT systems or grocery store systems or data of Kroger stores, and so far there is no indication of fraud regarding access to personal data.
The company, which has 2,750 grocery stores and 2,200 pharmacies nationwide, said Sunday in response to questions from The Associated Press that an investigation into the extent of the cap is ongoing.
A spokesman for Kroger said in an email that the patient information in question could include ‘names, email addresses, phone numbers, home addresses, dates of birth, social security numbers’ as well as information on health insurance, prescriptions and medical history.
Federal law requires organizations that handle personal health care information to notify the Department of Health and Human Services of any data breaches.
Kroger said it was among the victims of the hack of a file transfer product called FTA, developed by Accellion, a California company, and that it was notified on January 23 of the incident when using Accellion’s services has been discontinued. Companies use the file transfer product to share large amounts of data and solid email attachments.
Accellion has more than 3,000 customers worldwide. It is said that the product in question was twenty years old and nearing the end of its life. The company said on February 1 that it had patched all known vulnerabilities in the FTA.
Other Accellion clients affected by the hack include the University of Colorado, the state of Washington, the financial regulator of Australia, the Reserve Bank of New Zealand and the leading US law firm Jones Day.
For the Washington state auditor, the hack was particularly serious. Files were exposed to 1.6 million claims obtained last year in the investigation into massive unemployment fraud.
In the case of Day, cybercriminals who wanted to blackmail the law firm dumped an estimated 85 gigabytes of data online that they allegedly stole.
Former President Donald Trump is among Day’s clients, but the criminals emailed the AP that none of the information was related to him. The AP emailed the criminals with questions on the dark website where they posted documents stolen from the law firm.
It is not known whether the criminals who blackmailed Day were also responsible for the Accellion hijacking.