Share this article on:
The pharmacy and supermarket chain Kroger has proposed a $5 million settlement to resolve lawsuits filed by victims of data breach that exposed their personal and protected health information.
Kroger was one of many victims of a cyberattack on Accellion’s File Transfer Appliance (FTA) in December 2020. The Accellion FTA is a legacy solution used to transfer files too large to be sent via email. Hackers exploited several zero-day vulnerabilities in the solution and gained access to the data of more than 100 companies. While ransomware was not used, the attack was linked to the Clop ransomware gang which threatened to publish the exfiltrated data. Individual companies were sent demands for payment to prevent the exposure of their stolen data.
Kroger was notified about the breach on January 23, 2021 and received a ransom demand from the attackers on February 2. The FBI was notified, and Kroger paid the ransom on February 18, 2021. The attackers returned the stolen data the following day and provided a video demonstrating the stolen data had been deleted.
Approximately 1% of Kroger Health and Money customers had their sensitive data stolen, including names, contact information, health benefits information, Social Security numbers, prescription information, and other sensitive data. Kroger notified all affected customers and offered them complimentary credit monitoring and identity theft protection services for two years. Kroger said it had stopped using the legacy Accellion FTA service and confirmed it had successfully retrieved the data stolen by the hackers and received assurances that all copies were destroyed.
Several lawsuits have been filed against Kroger and Accellion over the data breach. Plaintiffs in the Kroger lawsuits alleged the pharmacy chain failed to implement and maintain appropriate data security practices to ensure the security of customer information and failed to detect the vulnerabilities that were exploited by the hackers.
Lawyers for both sides were able to reach an agreement and a preliminary motion for the proposed settlement was recently filed in the United States District Court for The Northern District of California. The proposed settlement covers all 3.82 million individuals affected by the breach, including Kroger employees and customers, and resolves all lawsuits filed against Kroger in relation to the breach. The settlement only resolves claims against Kroger, not any claims against Accellion. At least 15 lawsuits have been filed against Accellion over the data breach.
Claimants will be entitled to a cash payment, two years of credit monitoring services, or can submit a claim up to $5,000 for documented losses that can be reasonably traced to the data breach. A fund of $5 million has been set up to cover claims.
The settlement also requires Kroger to implement significant remedial measures, including ensuring data stolen in the attack is secured and destroyed, dark web monitoring is conducted for 5 years to identify any fraudulent uses of data stolen in the attack, and for Kroger to confirm it has stopped using the Accellion FTA. Kroger is also required to enhance its vendor risk management program and conduct regular reviews of all software and file transfer services used to transfer customers’ personally identifiable information.
While both sides have agreed to the settlement, it has yet to be approved by the court.