Kroger alerted current and former employees this week that their data – including Social Security numbers and birth dates – may have been compromised as a result of a breach at Equifax's W-2Express website.
In an email to those potentially affected and cited by the Inquistr, the grocery chain, which has about 400,000 employees, said that while the investigation into the Equifax “security incident” is ongoing, “it appears that unknown individuals accessed the W-2Express website using default login information based on Social Security numbers (SSN) and dates of birth, which we believe were obtained from some other source, such as a prior data breach at other institutions.”
Kroger stressed that it had “no indication” that its own systems were compromised but did say it was working with Equifax “to reset the default PINs needed to access the W-2Express site” but urged the potential victims to take further precautions by going to the W-2Express website to change and create their own PINs. Those found to be affected, will be notified and provided with credit monitoring services.
If you are affected, you will receive additional notifications with more information. Credit monitoring services will also be provided for affected current and former associates whose information was accessed.
“Organizations are getting the message that they need to protect customer data, however, this is an important lesson to realize they also need to guard their employees' Personally identifiable information (PII) just as closely,” Mark Bower, global director, product management, for HPE Security-Data Security, told SCMagazine.com in emailed comments.
“Even with traditional data security systems in place, organizations have to ensure that when attacks to occur – and they will – that security and data-level protection controls can't be bypassed allowing recovery and access clear data,” said Bower. “Today's exploitations require organizations to look at securing data across all channels on a data-centric basis – from mobile apps, web apps, into and out of database, mission critical platforms and big data.”