BOSTON (AP) –
Kroger Co. claims to have been one of the multiple victims of a data breach involving a third-party file transfer service and notifies potentially affected customers and offers them free credit check.
The Cincinnati-based grocery and pharmacy chain said in a statement Friday who believes less than 1% of their customers were affected, specifically some who use their health and money services, as well as some current and former employees because apparently several staff records were seen.
Kroger said the infringement did not affect the computer systems of Kroger stores, nor the systems nor the data of grocery stores and that there were no indications that fraud had occurred related to personal access data.
The company, which has 2,750 grocery stores and 2,200 pharmacies nationwide, did not immediately answer questions that included how many customers might have been affected.
Kroger said she was one of the victims of the December hacking of a file transfer product called FTA developed by Accellion, a California-based company, and that she was notified of the incident on Jan. 23, when she stop using Accellion services. Businesses use the file transfer product to share large amounts of important data and email attachments.
Accellion has more than 3,000 customers worldwide. It has been said that the affected product was 20 years old and was about to end its shelf life. The company said Feb. 1 which had fixed all known FTA vulnerabilities.
Other Accellion customers affected by the hack include the University of Colorado, Washington State Auditor, The financial regulator of Australia, the Reserve Bank of New Zealand and the prominent American law firm Jones Day.
For the Washington state auditor, the hack was particularly severe. Files were filed on 1.6 million claims obtained in its investigation into massive unemployment fraud last year.
In the case of Jones Day, cybercriminals trying to extort the law firm dumped about 85 gigabytes of data online claimed to have stolen.
Former President Donald Trump is among Jones Day customers, but criminals told The Associated Press by email that none of the data was related to him.