Kroger says some HR data and pharmacy records were possibly compromised in data breach

• The data breach was caused by a vulnerability in the Accellion file-sharing system that Kroger used.
• Kroger discontinued using Accellion and reported the incident to federal law enforcement.
• Certain HR data, money service records, and pharmacy records were affected.

Kroger was among the companies affected by a data breach caused by a weakness in a product offered by Accellion, a third-party company that the retailer used for secure file transfer services, according to a company press release.

The breach didn't affect Kroger's IT system, the store systems, debit or credit card information, and no customer data was misused, the retailer said, but it did impact certain HR data, money service records, and pharmacy records.

"At this time, based on the information provided by Accellion and its own investigation, Kroger believes that less than 1% of its customers, specifically customers of Kroger Health and Money Services, have been impacted," the company said in Friday's press release.

The supermarket chain, which has nearly 3,000 stores accross the country, discontinued using the product and reported the data breach to federal law enforcement after being informed of the incident on January 23, Kroger said Friday.

Accellion informed Kroger that an unauthorized person gained access to Kroger files through a weakness in Accellion's file transfer service, Kroger said.

Kroger also initiated its own investigation to determine the impact of the incident. The company is in the process of contacting potentially harmed customers and offering free credit monitoring.

Accellion did not immediately respond to a request for comment.

Accellion's customers have been using the company's product called File Transfer Appliance (FTA) which offers secure file-sharing services for sensitive files that are too large for email attachments. The product was used by law firms, including Jones Day, Insider previously reported.

Earlier this month, Accellion announced that it is retiring its FTA systems and encouraged its customers to upgrade from the 20-year-old system to its newer product Kiteworks that "never reported" an external vulnerability in the four years it has been in the marketplace.

The company will not allow renewals to its FTA product after April 30, according to its website.

In January, Accellion said that it released a patch within 72 hours to less than 50 of its customers who have been impacted by the breach. The string of data breaches affected large organizations and companies around the world.

Among those affected was New Zealand's Reserve Bank that became aware of the data breach in January. "Following this malicious attack, the software application was secured and closed," the bank said in its statement on February 15.

The data breach that the bank experienced on December 25 impacted some files that contained personal email addresses, birthdates, credit information, the bank said. The bank also added that it is working directly with stakeholders to determine the number of individuals affected.

Singtel, Singapore's telecommunications company, also experienced a data breach of its FTA Accellion system and said on Wednesday that it is working with the Cyber Security Agency of Singapore about the incident.

The company completed its investigation and concluded that 23 enterprises were affected and Singtel's data logs, test data, reports, and emails were leaked, according to its statement. Exfiltrated data also included personal information such as birthdates and names of 129,000 customers and bank account details of 28 former Singtel employees, the company added.