fbpx

Kroger Alleged to Bear Responsibility in Accellion Data Breach Class Action

In the event of a data breach, can an employee whose information was compromised bring suit against its employer rather than the company that experienced the data breach? This class action brings suit against the Kroger Company, claiming it bears responsibility in the case of the “large and preventable” data breach suffered by its vendor Accellion, Inc.

The class for this action is all persons living in the US who are or were employees of Kroger or any of its affiliates, parents, or subsidiaries whose PII was compromised in the data breach that occurred in or around December 2020. A Kansas Subclass has also been proposed for those in the class who live in Kansas.

Kroger distributed a Notice of Data Breach on March 11, 2021, claiming that Accellion had experienced a data breach on January 23, 2021. However, the complaint contends that the data breach actually happened in December 2020. The personally identifying information (PII) that was stolen included names, contact information, birth dates, Social Security information, and for some, salary information.

Kroger used Accellion to make secure file transfers. How is Kroger responsible? The complaint alleges, “Kroger was aware and had full knowledge that Accellion’s data security on the platform Kroger used was lax. In fact, prior to the breach, Accellion encouraged Kroger to move to a newer and more secure transfer platform.”

Kroger entrusted the confidential PII of its employees to Accellion, for secure file transfer, using a product called FTA. The complaint claims, “This self-described ‘legacy’ product is 20 years old and incapable of preventing modern data security threats.”

In fact, Accellion had announced it would no longer offer the FTA product as of April 30, 2021. It has been encouraging customers to migrate to “migrate to its newer, more secure products ‘Kiteworks,’ which was launched roughly four years ago” but Kroger had not done this.

The old FTA software used CentOS for its functions. CentOS announced in late 2019 that it would stop supporting CentOS 6 after November 30, 2020. The complaint alleges, “Upon information and belief, the fact that it was no longer supported by CentOS meant that the FTA software would no longer receive expected vulnerability testing and patching.”

The data breach that exposed the PII of Kroger employees occurred on December 25, 2020. The complaint claims, “The breach occurred after hackers exploited a vulnerability in Accellions’s legacy FTA software through traditional SQL injection methodology.”

The complaint alleges that Kroger did not comply with Federal Trade Commission requirements and standards for data security.

Article Type: Lawsuit
Topic: Privacy

Most Recent Case Event

Kroger Alleged to Bear Responsibility in Accellion Data Breach Complaint

April 19, 2021

In the event of a data breach, can an employee whose information was compromised bring suit against its employer rather than the company that experienced the data breach? This class action brings suit against the Kroger Company, claiming it bears responsibility in the case of the “large and preventable” data breach suffered by its vendor Accellion, Inc.

Kroger Alleged to Bear Responsibility in Accellion Data Breach Complaint

Case Event History

Kroger Alleged to Bear Responsibility in Accellion Data Breach Complaint

April 19, 2021

In the event of a data breach, can an employee whose information was compromised bring suit against its employer rather than the company that experienced the data breach? This class action brings suit against the Kroger Company, claiming it bears responsibility in the case of the “large and preventable” data breach suffered by its vendor Accellion, Inc.

Kroger Alleged to Bear Responsibility in Accellion Data Breach Complaint
Tags: Exposing Private Information, Exposure to cyber crime, Your Privacy