Cincinnati-based grocery chain Kroger is investigating a recent hack that affected a small amount of its pharmacy customer data, including healthcare and social security information.
“At this time, based on the information provided by Accellion and its own investigation, Kroger believes that less than 1% of its customers, specifically customers of Kroger Health and Money Services, have been impacted,” the company said in a Friday statement, adding it would contact current or former clients who may have been compromised.
Kroger said it was the victim of a December hack of a file-transfer product called FTA, developed by Accellion, a company based in California.
The grocery chain said no reports of fraud or misuse of customer information had been detected yet, adding, “Out of an abundance of caution Kroger has arranged to offer credit monitoring to all affected individuals at no cost to them.”
Kroger has 2,750 grocery retail stores and 2,200 pharmacies across the United States.
DEFENSE AUTHORIZATION WILL PUMP UP GOVERNMENT CYBERSECURITY
In a Sunday statement to the Washington Examiner, a company spokesperson said Kroger “initiated its own forensic investigation to review the potential scope and impact of the incident.”
The grocery chain was notified of the incident on Jan. 23 and shortly discontinued the use of Accellion’s services. Businesses use Accellion’s file-transfer product to share larger amounts of data and email attachments.
A Kroger spokeswoman told the Associated Press that the affected patient information could include “names, email addresses, phone numbers, home addresses, dates of birth, Social Security numbers,” as well as information on health insurance, prescriptions, and medical history.
Additional Accellion customers affected by the hack include the University of Colorado, Washington state’s auditor, Australia’s financial regulator, the Reserve Bank of New Zealand, and U.S. law firm Jones Day.
CLICK HERE TO READ MORE FROM THE WASHINGTON EXAMINER
Attacks on Accellion customers started in December, around the same time other large-scale hacking attempts occurred on SolarWinds’s Orion products, which compromised several private and federal government clients who used the company’s systems. The sources of the cyberattacks on SolarWinds products have largely been suspected of coming from Russia, according to the FBI and several U.S. intelligence agencies.
The National Defense Authorization Act for Fiscal Year 2021 was passed by Congress on Jan. 1 after it had been vetoed by former President Donald Trump. The bill includes a provision that would establish a White House national cybersecurity director, a position created by former President Barack Obama and previously eliminated by Trump.
As part of the NDAA’s provisions, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency will be permitted to issue administrative subpoenas to internet service providers when it can’t determine the owner of critical infrastructure with security vulnerabilities. The measures aim to improve overall cybersecurity frameworks in both the private and public sector.
