Month: April 2011

Security

Data breach for Kroger

Just got an email today from Kroger saying that they had suffered a data breach and to (essentially) watch out for spam. The text of the message:

Kroger wants you to know that the data base with our customers’ names and email addresses has been breached by someone outside of the company. This data base contains the names and email addresses of customers who voluntarily provided their names and email addresses to Kroger. We want to assure you that the only information that was obtained was your name and email address. As a result, it is possible you may receive some spam email messages. We apologize for any inconvenience.

Kroger wants to remind you not to open emails from senders you do not know. Also, Kroger would never ask you to email personal information such as credit card numbers or social security numbers. If you receive such a request, it did not come from Kroger and should be deleted.

If you have concerns, you are welcome to call Kroger’s customer service center at 1-800-Krogers (1-800-576-4377).

Sincerely,

The Kroger Family of Stores

And now, why I am not in the least concerned.

  1. Kroger is the parent company of 29 supermarket, warehouse, discount grocery and convenience store chains, 4 jewelry store chains and 3 financial services companies. I have a “rewards card” type account at one of those 29 grocery-type places that links my email address with my name. However, I do not have an online account with any of them. (I don’t see the need to create yet another account to “log in” to the web site of a store down the street to print the same coupons they send me in email and physical mail.)
  2. I do not have any payment methods tied to that account (obviously, as I have no “online account” with them.)
  3. When I am sent details of my coupons and money-back rewards I get those via email with a link to view them. Sure, someone sniffing on the wire could get the link and print out my money-back certificates. But they are tied to the physical “rewards card” I have with the store, so they don’t really do anyone else any good unless they clone my card.

So, even though I am not particularly worried about this data breach (especially since my real name is tied to that email address in lots of publicly available places on line) I do have to give Kroger credit for informing their customers. Now I am just hoping they release a little more information about how it happened, what steps they took, etc. Are you listening, Kroger? Thanks.

Edit: @Tekneek pointed me to this article by Brian Krebs. According to Krebs’ article it looks like their email marketing service provider Epsilon was breached.