fbpx

Kroger Failed to Secure Information Exposed in Accellion Data Breach Class Action

This class action undertakes to hold a company responsible for the actions or omissions of one of its third-part vendors. The incident at issue is the data breach suffered by Accellion, which held employee and customer information pertaining to Kroger. The complaint alleges that the Kroger Company “was aware and had full knowledge that Accellion’s data security on the platform Kroger used was inadequate. In fact, prior to the breach, Accellion encouraged Kroger to move to a newer and more secure platform.”

The class for this action is all Kroger employees, pharmacy customers, Little Clinic patients, money service customers, and others whose private information was provided to Kroger and exposed in the Accellion data breach.

The data breach exposed the personally identifiable information (PII) of individuals, including addresses, dates of birth, Social Security numbers, and protected health information (PHI), including insurance and prescription information, prescribing doctors, medications, medical history and diagnosis, and other information.

The complaint claims that Kroger did not follow industry standards in protecting the PII and PHI it collected, because it used outdated software to transfer information to Acellion.

What was wrong with the software? The complaint alleges, “Kroger used Accellion’s outdated legacy File Transfer Applicance (‘FTA’) to transfer the PII (including PHI) of, at the very least, it current and former employees and Health and Money Services customers.” That software, the complaint claims, “relied on CentOS 6 to function.” CentOS announced in late 2019 that it would not support that system after November 2020, which the complaint says “upon information and belief, … that the FTA software would no longer receive expected vulnerability testing.”

The data breach took place on December 25, 2020.

The complaint claims, “The breach occurred after hackers exploited a vulnerability in Accellion’s legacy FTA software through traditional SQL injection methodology.”

The complaint holds Kroger responsible as well, saying that the company “failed to undertake adequate analyses and testing of its own systems, adequate personnel training, and other data security measures to avoid the failures” represented by the data breach. Moreover, the complaint claims that the FBI and US Secret Service have been warning companies who are potential targets of data breaches and that this and the increasing number of cyberattacks gave Kroger warning of the possibility of such an attack.

According to the complaint, because Kroger “failed to adequately update and upgrade the security of its computer systems, failed to implement proper cybersecurity hardware and software (such as next generation firewalls and multi-factor authentication), failed to implement adequate procedures for handling phishing e[-]mails, and failed to adequately train employees,” it “negligently and unlawfully failed to safeguard” the PII and PHI it collected and stored.

Article Type: Lawsuit
Topic: Privacy

Most Recent Case Event

Kroger Failed to Secure Information Exposed in Accellion Data Breach Complaint

March 11, 2021

This class action undertakes to hold a company responsible for the actions or omissions of one of its third-part vendors. The incident at issue is the data breach suffered by Accellion, which held employee and customer information pertaining to Kroger. The complaint alleges that the Kroger Company “was aware and had full knowledge that Accellion’s data security on the platform Kroger used was inadequate. In fact, prior to the breach, Accellion encouraged Kroger to move to a newer and more secure platform.”

Kroger Failed to Secure Information Exposed in Accellion Data Breach Complaint

Case Event History

Kroger Failed to Secure Information Exposed in Accellion Data Breach Complaint

March 11, 2021

This class action undertakes to hold a company responsible for the actions or omissions of one of its third-part vendors. The incident at issue is the data breach suffered by Accellion, which held employee and customer information pertaining to Kroger. The complaint alleges that the Kroger Company “was aware and had full knowledge that Accellion’s data security on the platform Kroger used was inadequate. In fact, prior to the breach, Accellion encouraged Kroger to move to a newer and more secure platform.”

Kroger Failed to Secure Information Exposed in Accellion Data Breach Complaint
Tags: Exposing Private Information, Exposure to cyber crime, Your Privacy