Forgot your password?
typodupeerror
Privacy Security Your Rights Online

Hackers Steal Kroger's Customer List 185

Posted by timothy
from the now-they-know-who-buys-food dept.
wiredmikey writes "Kroger, the nation's largest traditional grocery retailer with more than 338,000 associates, notified customers today of a breach of the database that stores its customers' names and email addresses. The company said the incident occurred at Epsilon, the third-party vendor Kroger uses to manage its customer email database." Reader SatanClauz SatanClauz quotes the email that went out to Kroger customers ("We were notified and became aware of unauthorized access to our email list by someone outside our company. We want to assure you that the only information that was obtained were names and email addresses."), writing "At least they were smart enough to separate the email db from the rest of customer information! — or so they say..."
This discussion has been archived. No new comments can be posted.

Hackers Steal Kroger's Customer List

Comments Filter:
  • by mr100percent (57156) on Saturday April 02, 2011 @09:34AM (#35693384) Homepage Journal

    I wonder if this is something you can sue over. For example, is reusing the same password (as in the case of HBGary) considered negligent?

    • When filling out those "super saver" card deals I always give them my landline phone number, a throwaway email address, and my name. As a Kroger's shopper, I feel vindicated today. :)
      • by morari (1080535)

        I didn't realize that anyone filled them out with real information. Why would you? To help Kroger track trends and marketing? Forget that, just give me the discount. :P

        • by hedwards (940851)

          If only they would give a discount. Around here when the discount cards rolled out there was an immediate price hike on the regular price to a similar amount as the discount. The net effect being that you weren't saving money with the discount cards, just not being gouged as badly.

          Why they were allowed to do that is beyond me, because the customers didn't have much choice given that all the major grocery chains started doing it about the same time and the smaller ones are much more expensive.

          • Why they were allowed to do that is beyond me

            Because having the government mandate the price of milk sounds like about the worst idea you could possibly implement, especially given that this is a capitalist system?

            Because we as a people have decided that as a general rule it is best to let market forces work out the price of milk?

            • by hedwards (940851)

              Milk is a bad example, most of the milk supply in the US is controlled by a very small number of concerns. A couple years back there was a push here to require all dairies to sell their milk to a collective and then require all in state purchases of milk to be done through the distributor. Thankfully it didn't go through, but it was somewhat nerve wracking watching big milk trying to drive out the last competition.

              If you thought the telecommunications industry was bad, big milk is worse.

              The whole notion tha

        • Re:Tortious? (Score:4, Insightful)

          by by (1706743) (1706744) on Saturday April 02, 2011 @10:47AM (#35693728)

          I didn't realize that anyone filled them out with real information. Why would you? To help Kroger track trends and marketing? Forget that, just give me the discount. :P

          Filling them out with fake information is almost as useful for them (assuming you do indeed use the card). Think of it as a click-tracking cookie, but for a supermarket instead of a web site. Sure, it's nice to have all the personal information you can get, but it's still useful without that.

          Certain demographic statistics will get screwed up, of course (wow, that 82 year old woman sure loves her beer, Oreos and frozen pizza!). However, a huge reason that discount cards are issued is for statistical information on purchases relative to each other. If you're in a supermarket and you see two seemingly unrelated items next to each other, there's a chance that there's a purchasing correlation.

          • At my local ACME Market there's Hormel sliced pepperoni on the end of just about every food related isle in the store
          • Re: (Score:2, Insightful)

            by Anonymous Coward

            Filling them out with fake information is almost as useful for them (assuming you do indeed use the card).

            So what? The idea is to protect my privacy, not try to intentionally be a dick to them. I'm glad the fake information I gave them is still useful.

        • by XorNand (517466)
          Ever use one of these cards in conjunction with a credit card? They have your real info now.
        • the local 'loyalty cards' don't require anything from you. they hand them out and you can take their stupid form, tell them 'I'll do this later' and then just use the card. the most they can get on you is what you buy, but you stay anon.

          well, as long as you pay with cash only. doh! when you pay via authenticated means, you can probably guess they then can bind your name to your purchases.

          but use of cash and those cards that you don't fill out (at all) are not a bad way to work the system. its trying to

        • by Ucklak (755284)

          Because you get free stuff like free turkey for thanksgiving, free pack of burgers for 4th of July, free drinks, etc....

          Anybody can find your address anyway.
          Just use a throw away email and phone number (Google voice)

      • sibling is right... most times, I don't even have to fill them out, instead feigning time pressures: "I have to be somewhere pretty soon - is it okay if I bring this back?" usually gets me the card with zero information to the store.

      • I refuse to play the "discount card" game. When I make a purchase at the local CVS, they ask if I have a discount card. I say "no" and the clerk scans the store copy and I get the discount anyways without giving personal information. Often when going to stores that do not have a "store card", another customer offers their card and the clerk scans that without objection. I have even encountered clerks that have their personal card that they scan. These "discount cards" are a farce!

        • by jhigh (657789)
          The only reason to use them is for gas points or other such rewards. I occasionally forget my discount card and use the store card, but at any major grocery store that gives gas points, I've found it worth it to have a card.
        • by sfm (195458)

          If you do not wish to support the "discount card game", then vote with your
          feet. Shop at stores that do not have the cards. If enough people do this,
          you will see these "penalty cards" disappear.

      • by AftanGustur (7715)

        When filling out those "super saver" card deals I always give them my landline phone number, a throwaway email address, and my name. As a Kroger's shopper, I feel vindicated today. :)

        To check their security I always give them the name of my uncle .. Little Bobby Tables. [xkcd.com]

    • Is reusing the same password (as in the case of HBGary) considered negligent?

      One would hope so. In Europe anyway the data registrars could get pretty snarky if a data controller were to negligent with personal data. Compliance does vary though. My bank does a decent job, while food delivery places tend to be pretty piss-poor. If you have a phone number of someone and a name, and you'd like to find their address, use the local pizza places. Assuming that person orders pizza, chances are if you give the name and number of that personal, the guy on the phone will give you the address.

      • English, motherfucker, I don't speak it.

        *Been pretty rare to find someone on a pizza line here who won't tell me my address, and I don't even to get sneaky in my questioning.*

      • by CastrTroy (595695)
        Thanks to the advent of the internet, you can usually find out someone's name, phone number, and address, with just one of those pieces of information. Pick a random address, look it up on a reverse directory, and you can find out the name, and the phone number of the person who lives there. Unless they don't have a land line, or they are pretty careful with their privacy, it works almost every time.
    • I wonder if this is something you can sue over.

      Yes, some lawyer will gin up a "class action" suite to address the irreparable harm that mom, dad, gramps, and Cletus have suffered as a result of the disclosure of their almost certainly widely available email addy - and the fact that grandpa regularly buys extra large lubricated Trojans. And as is standard practice, the lawyer will walk away with 10 or 15 million while the harmed parties will get a 50 cent off anything coupon.

      Yes, let's SUE! SUE! SUE! to address this heinous disregard for personal priv

  • by jhigh (657789)
    These days, email addresses are about as valuable as anything. Spam, phishing scams, etc. are all capable of causing infinite problems for people.

    I don't show up at Kroger (there aren't any close to where I live), but if I did, they would be hearing from me.
    • I don't show up at Kroger (there aren't any close to where I live), but if I did, they would be hearing from me.

      And exactly what would you do? Would you rip some 20 year old who is running the office, who has nothing to do with any of this? Would you see the store manager and rip him a new one, when HE has nothing at all to do with what the headquarters does?

      • Re:Emails? (Score:5, Funny)

        by MysteriousPreacher (702266) on Saturday April 02, 2011 @09:56AM (#35693484) Journal

        You'd be dismayed at how often people actually believe that the guy behind the counter or on the end of a tech support line is the best target for a discussion about corporate policies and general unhappiness with capitalism and assorted laws of physics. The latter came up more than once in tech support. I declined to alter the universe at a fundamental level.

      • by jhigh (657789)
        Actually, I would contact their corporate offices and asked to be removed from their database entirely and to have my account with them deleted completely. I didn't mean that I would be seeking retribution, only to make sure that my information isn't further compromised in the future.
    • You might be surprised about Kroger - they have 17+ banners they do business with. There might not be a Kroger store, but there might be a Fry's, Smith's, Ralph's, Fred Meyer, QFC, or King Soopers.

      They are all Kroger.

  • by ruiner13 (527499) on Saturday April 02, 2011 @09:35AM (#35693388) Homepage
    So, they got information that sites like Facebook make completely public anyway? I'm sorry, I guess I'm just all out of unwarranted outrage and fear today. Wake me up when they have credit card numbers, SSNs, or something like my mother's maiden name. You know, stuff that can actually be used for something malicious. All they can do now is send me an email with *gasp* my name in it!
    • Re: (Score:3, Insightful)

      by Anonymous Coward

      So, they got information that sites like Facebook make completely public anyway? I'm sorry, I guess I'm just all out of unwarranted outrage and fear today. Wake me up when they have credit card numbers, SSNs, or something like my mother's maiden name. You know, stuff that can actually be used for something malicious. All they can do now is send me an email with *gasp* my name in it!

      Does that tell you something about this breach, or about the culture surrounding Facebook?

      Not everybody wants their online contact info to be an open book. Not everyone on this customer list has a Facebook account. You can join the crowd that lowers the bar on privacy expectations and you will have much company. There will be many millions nodding their heads and agreeing with you and validating your opinion. The part you don't seem to appreciate is that they embrace it voluntarily. Not everyone does.

      • by hedwards (940851)

        True, but the cost of not participating is getting bigger all the time. There's a lot of discounts you just can't get if you don't have a facebook account and good luck with a lot of those contests if you aren't on facebook or twitter.

        Fortunately, it hasn't gotten to the point of companies being allowed to advertise just on social networking sites, hopefully somebody will realize that it's fundamentally a bad idea if allowing it comes up for a vote in congress.

    • You're doing it wrong if Facebook is by default making your email address completely public, or you're not the kind of person to worry too much anyway about this kind of thing. Why not have a nice cup of tea and wait for the next story to pop out?

      • by ruiner13 (527499)
        Agreed. I never said that Facebook was the golden model of privacy. I only meant to imply that if we're not completely outraged about what Facebook does, than something like this does not merit panic or being spread like gossip. The people affected should be notified properly so they can understand the situation, but spreading it as if it were a major security break is disingenuous. It is a break, but does not need to be treated as a meltdown.
    • by fermion (181285)
      "We want to assure you that the only information that was obtained were names and email addresses."

      They are not saying that the only information taken was names and emails. They want to say that such is the case. From what I can tell about notification laws, this is to comply with the law. They have notified customers that their personal data has been stolen. They have not said that the personal information was limited to names and email addresses. A reasonable person may interpret it that way, but i

      • Doesn't that kind of require at least three seemingly unfounded assumptions?

        1) The assumption that purchasing details were stolen
        2) Kroger Co. is lying about what was disclosed (otherwise why should we castigate them for being unable to announce something before it was known)
        3) It'll be less damaging to have to make two separate announcements, thus prolonging the media story, than a single announcement covering all of what they currently know

        • Epsilon is a company that does mass-market emails. Kroger uses DunnHumby USA for their statistics and market data. They use someone completely different for credit card processing, maintaining PCI compliance.

          I'm pretty sure they have the capacity to have different databases, with controlled access to each. They aren't the local fruit stand, they're a Fortune-30 business.

      • by JimWise (1804930)

        I am confused how you can say "They are not saying that the only information taken was names and emails" and "They have not said that the personal information was limited to names and email addresses." To me that is pretty much exactly what the sentence that you quoted says: "We want to assure you that the only information that was obtained were names and email addresses."

        I could understand saying that it takes a leap of faith to believe that was all that was acquired from the system since from the message

        • What it shows is that attacks will continue against just about every major US chain and their *contractors*, because there's a payoff for stealing info. The Kroger incident is one of the ones that we know of; there are probably many more that we have no idea about because they weren't detected.

          Corporate security ought to be flawless, and it's not and their contractors should be held to the same high standarrds. This, along with TJMax and any number of breaches is a compelling reason to rethink garnering cus

          • I dunno - I trust "Joe in IT" more than that. However, the pointy heads are good at rolling stuff under rugs, so even if it was detected it would be instantly classified.

      • They have not said that the personal information was limited to names and email addresses.

        Yes, they have. The whole "We want to let you know" construct is not a literal construct in modern English; it's simply a redundancy that allows you to open a sentence slowly to avoid sounding curt. When Amazon tells me "We just wanted to let you know that your order has shipped," they're not just sharing their feelings with me, they're let me know that my order has shipped. They wanted to let me know it, and now they're letting me know it.

        In this case, the literal usage of those word (trying to tell me

    • by rednip (186217)

      So, they got information that sites like Facebook make completely public anyway?

      So, facebook is supposed to be an example of default expected privacy? God, I hope not.

      • by click2005 (921437) *

        Facebook is more like the strange old man offering you free candy and promising there is more in the back of his van.

  • I just got an email from US Bank this morning as well about the data breach with Epsilon. I wonder how many more companies are affected by this one third-party company.
  • by Anonymous Coward

    Why would anyone give their email address to a grocery retailer?

    • by JimWise (1804930)

      There are several reasons. I am one of those who gave my info to Kroger, and doing so has let me save some money, partly because I also did the same with Giant Eagle (the other large grocery store chain in my area.) I pass both of them pretty much every day. Each has good weekly deals, and they both send e-mails of the deals the day before they begin. It makes it easy for me to compare and see which store to stop by in a given week and what to pick up where. They are the same ad fliers that are in the

      • by adolf (21054)

        One other non-discount reason to give them your e-mail and use the Loyalty Card is that if an item is recalled they can track who bought the item and send them an e-mail stating what was recalled, the reason it was recalled, and what to do with the item to safely fix it or discard it or return it for a refund.

        Yeah, the recall stuff is nice. Sometimes.

        I bought some ground beef from Kroger using the card. I cooked it and ate it. It was yummy.

        A couple of weeks later, I bought something else from Kroger, and

        • by DarkVader (121278)

          Well, if you ate it and didn't get sick, then it wasn't actually bad, was it? I'm not sure what you're complaining about.

          And around here, all the grocery stores have the silly little cards. I don't really have a choice if I want to eat. And I like eating.

          I have generally found Kroger to be the best of the chains here, every time I've been to the others, I've gotten rotten fish - that's never happened at Kroger. The employees are generally friendly, and seem to be quite competent.

          And I feel better shoppi

  • I just had a conversation with guy at a gas station as to why I didn't have one of their rewards cards. He kept assuring me that I wouldn't be tracked and yet I just don't believe that. For the record, assuming this list is for their "Plus Cards", we are likely on that list buuut only under a bogus name...or maybe I found a card that someone lost. Regardless, if it didn't save me $40 every time I went to the store, I wouldn't have it; saving $3 at a gas station every 3 weeks isn't enough of a reward to even

  • by JimWise (1804930) on Saturday April 02, 2011 @09:42AM (#35693420)

    I got the e-mail from Kroger within three hours of receiving a very similar e-mail from Brookstone. Although not identical, the two e-mails are quite similar. Foes anyone know who this e-mail service provider is and what other companies may have been affected by this? It is nice to see Kroger and Brookstone act quickly to let their customers know the extent of the data that was compromised, but if this is the fault of a common e-mail service provider I would think that many more than just two companies were affected by this, and interesting to see how different companies react to the same issue. It is also good to see that the third party e-mailer is given only the base details necessary for them to perform their function and are not provided with street addresses or other unnecessary personally identifiable information.

    ++++++++++++Important E-Mail Security Alert++++++++++++

    Dear Valued Brookstone Customer,

    On March 31, we were informed by our e-mail service provider that your e-mail address may have been exposed by unauthorized entry into their system. Our e-mail service provider deploys e-mails on our behalf to customers in our e-mail database.

    We want to assure you that the only information that may have been obtained was your first name and e-mail address. Your account and any other personally identifiable information are not stored in this system and were not at risk.

    Please note, it is possible you may receive spam e-mail messages as a result. We want to urge you to be cautious when opening links or attachments from unknown third parties.

    In keeping with best industry security practices, Brookstone will never ask you to provide or confirm any information, including credit card numbers, unless you are on our secure e-commerce site, Brookstone.com.

    Our service provider has reported this incident to the appropriate authorities.

    We regret this has taken place and for any inconvenience this may have caused you. We take your privacy very seriously, and we will continue to work diligently to protect your personal information.

    Sincerely,

    Brookstone Customer Care

    • Apparently TiVo also used the same service, because I just got an email from them about names and email addresses being exposed.

  • Why am I not surprised?
  • So Kroger's customer list is stolen from Epsilon! I wonder what other companies are using Epsilon to manage their customer list. So we need to identify who is managing the client list of Epsilon. If that site is known to be hackable .. hee... hee... :-)
    • by hedwards (940851)

      That's a serious problem. Some companies are more transparent about it than others are, but a financial services firm can have quite a few contractors doing the actual work. If any of them lose a laptop or get cracked, your information can get leaked all over the place.

      But, whenever privacy regulations come up for debate they typically get shouted down as "nanny state politics," discouraging personal responsibility, being socialist or causing people to lose their jobs.

    • by Schemat1c (464768)

      So Kroger's customer list is stolen from Epsilon! I wonder what other companies are using Epsilon to manage their customer list. So we need to identify who is managing the client list of Epsilon. If that site is known to be hackable .. hee... hee... :-)

      I found an email this morning from Usbank telling me that they use Epsilon and that my email address was among the stolen files. I did a Google search and apparently Chase also uses the service.

      This isn't good.

    • by stilwebm (129567)

      So far I've seen the following brands/companies affected:

      McKinsey, Brookstone, U.S. Bank, Capital One, Citibank, JP Morgan Chase, Kroger, New York & Co, and Tivo.

      Some additional clients of theirs include Best Buy, Fender, TIAA-CREF, MD Anderson, Visa, Kraft, Marriott International, and Johnston & Murphy/Genesco.

      I expect that client list to shrink as more notifications go out.

  • Fortunately, my Kroger Plus card application was littered with fake information!
  • "... notified customers today of a breach of the database that stores its customers' fake names and fake email addresses."

    There, fixed it for you.

  • I received a similar notification from US Bank today with regards to my linuxfund.org credit card. They called out Epsilon as the source of the leak, and claim no financial data was compromised.

    ---
    As a valued U.S. Bank customer, we want to make you aware of a situation that has occurred related to your email address.

    We have been informed by Epsilon Interactive, a vendor based in Dallas, Texas, that files containing your email address were accessed by unauthorized entry into their computer system. Epsilon h

  • Kroger has no idea who accessed their email system, let alone whether or not they were hackers. Seems more likely spammers, or perhaps fraudsters, would be interested in gaining accesses to customer names and email addresses.

    In fact the word hacker appears nowhere in the article or summary. What is your major malfunction, Timothy?

  • The punishment for the leak should be that Kroger has to abandon any attempts to collect or store information about their customers.

    They're a grocery store. They don't need that info.

    • The punishment for the leak should be that Kroger has to abandon any attempts to collect or store information about their customers.

      They're a grocery store. They don't need that info.

      Why should they be forced to do that? It's not Kroger's fault in the first place, it's Epsilon who made the mistake.

  • Third party (Score:4, Insightful)

    by Zedrick (764028) on Saturday April 02, 2011 @11:40AM (#35694036)
    "third-party vendor Kroger uses to manage its customer "... why the hell are they using a third-party anything to manage THEIR customer data?

    Oh, oh, I know! Because they don't care about their customers data, and want the option to sue + put the blame on someone if something goes wrong.
    • "third-party vendor Kroger uses to manage its customer "... why the hell are they using a third-party anything to manage THEIR customer data?

      Oh, oh, I know! Because they don't care about their customers data, and want the option to sue + put the blame on someone if something goes wrong.

      Ignorant comment.

      Why do people outsource things to others when they can do it themselves? Like for example, why do people hire a company to fix their cars? Indeed: because the company has all the tools and expertise already, you'd have to first train yourself and then get all the necessary tools in order to do it. It's exactly the same with companies: if someone else can do the same job better, easier and cheaper than if you did it yourself then obviously it makes more sense to get the someone else to do it

    • Or maybe it's cheaper/more efficient to hire a third party so Kroger can concentrate on their actual business - selling groceries.

    • by joost (87285)

      Take a deep breath there, cowboy.

      It makes sense to offload e-mail delivery to a dedicated party. SMTP best practices, RBLs, proper headers, server capacity, bounce handling are essential to responsible e-mail campaigns.

      Almost no business has the intimate knowledge required to operate such a thing in-house. The BEST thing to do it outsource it to a mailing list provider. And the best practice op top of that is to just copy name + email address to the third party, as they have done. And after the breach they

      • This is specious nonsense, of course. It's the sort of FUD spread by spammers-for-hire masquerading as ESPs in order to lure unsuspecting customers in. The reality is that it's a trivial exercise to run mailng lists like this -- even those of modest intelligence can easily manage it. The combination of Linux, Apache, Mailman and an MTA-of-choice (postfix, sendmail, etc. -- not qmail, as that is only used by inferior people) makes it an afternoon's exercise to set up a properly-functioning mail server and
  • by Cylix (55374) * on Saturday April 02, 2011 @12:11PM (#35694236) Homepage Journal

    Spamming Brent Spiner, Johnny Bravo and Linus Torvalds!

    There is no actual verification on those little forms. Though I did get a strange look for the Johnny Bravo one I submitted.

    One of my friends even made one with the name Edgar Poe and he used this card specifically to purchase beer.

  • I didn't get the notification at my email address: nancydrew@example.com. Does that mean my data wasn't stolen?

  • I always set up a separate email account for every vendor I deal with. A surprising number of those email addresses end up getting into the hands of spammer/scammers. I always notify the companies that someone has compromised their email database, but only once have I received a response. It's no big deal for me to just divert all future email to that account to dev/null, but are there US federal laws that cover this, and is there any federal agency that should be notified so that these companies take secur

  • by NetNed (955141)
    It would be nice is these discount card at Krogers actually gave you a discount. All it is, is the normal price at other stores that don't have this discount card scam running. You'd think if they are selling info and making money on it, then they could actually give a decent price on items, but as far as Krogers goes, they are WAY over priced on many, many items. At least the ones in my area are.
    • by Zorque (894011)

      That's kind of strange, the Smith's (local Kroger chain) in my area is always a lot cheaper than everything else. I wonder if they leave the prices up to the individual chains?

      Of course, I've always wondered if the non-card prices are inflated and the card prices are what you'd normally pay. Seems like something a large company like that would do, at least.

      • by NetNed (955141)
        Possible. All the ones in my area (about 6 or so that I have been to) have the same prices. They do carry different things between different locations. The closest one to me have a interesting habit of getting rid of things that seem to sell well. I have given up asking because they always say ALL Krogers stopped carrying those items, only to see it at another location farther away.

        I will say they have good prices on milk sometimes, with the card of course. But things like cookies, crackers, soda and othe
  • Because a grocery store needs to hold on to customer information! How else can they... uh... well, er... PROFIT?

    So what do I need to do to convince a corporation to get rid of all customer data they have on me? Oh... wait... nevermind.

  • U.S. Bank has the loan for my truck. I have no other dealings with them. Just got an email about the Epsilon information being stolen, supposedly only our email address (my wife's, actually). They apparently contract with Epsilon for their email services. This outsourcing of customer management always bothers me. It seems you are never dealing with a single company anymore; any commerce involves spreading your information out to a collective of "responsible" parties, regardless of appearances otherwise

  • My wife got an email from TiVo, and I got an email from some branch of Disney vacation sales (no surprise -- we took a trip to DisneyWorld like 5 years ago and they still have my email address).

    This is affecting a lot of companies.

3500 Calories = 1 Food Pound

Working...