BOSTON (AP) – Kroger Co. says personal data, including Social Security numbers for some of its pharmacy and clinic customers, may have been stolen in a third-party vendor’s file transfer service hack.
The Cincinnati-based supermarket and pharmacy chain said in a statement on Friday that it believes that less than 1% of its customers have been affected – specifically some using its health and money services – as well as some current and former employees, because several personnel records were apparently seen.
He says he is notifying those potentially affected by offering free credit monitoring.
Kroger said the breach did not affect Kroger’s store IT systems or supermarket systems or data and that there has so far been no indication of fraud involving accessed personal data.
The company, which has 2,750 supermarkets and 2,200 pharmacies across the country, said on Sunday in response to questions from The Associated Press that an investigation into the scope of the hack was underway.
A Kroger spokeswoman said via email that affected patient information may include “names, email addresses, phone numbers, home addresses, birth dates, Social Security numbers”, as well as insurance information health, prescriptions and medical history.
Federal law requires organizations that handle personal health information to inform the Department of Health and Human Services of any data breaches.
Kroger said he was among the victims of the December hack of a file transfer product called FTA developed by Accellion, a California-based company, and who was notified of the incident on January 23, when he stopped using Accellion’s services. . Companies use the file transfer product to share large amounts of data and large e-mail attachments.
Accellion has more than 3,000 customers worldwide. He said the affected product was 20 years old and was nearing the end of its useful life. The company said on February 1 that it fixed all known vulnerabilities in the FTA.
Other Accellion clients affected by the hack include the University of Colorado, the Washington State auditor, Australia’s financial regulator, the Reserve Bank of New Zealand and the prominent American law firm Jones Day.
For the Washington State auditor, the hack was particularly serious. The files of 1.6 million complaints obtained in its massive unemployment fraud investigation last year were exposed.
In Day’s case, cybercriminals looking to extort the law firm dumped about 85 gigabytes of data online that they claimed to have stolen.
Former President Donald Trump is among Day’s clients, but the criminals told the AP via email that none of the data was related to him. The AP contacted criminals by email on the dark website, where they posted documents stolen from the law firm.
It is not known whether the criminals who extorted Day were also responsible for the Accellion hack.