Hackers Steal Kroger's Customer List 185
wiredmikey writes "Kroger, the nation's largest traditional grocery retailer with more than 338,000 associates, notified customers today of a breach of the database that stores its customers' names and email addresses. The company said the incident occurred at Epsilon, the third-party vendor Kroger uses to manage its customer email database." Reader SatanClauz
SatanClauz quotes the email that went out to Kroger customers ("We were notified and became aware of unauthorized access to our email list by someone outside our company. We want to assure you that the only information that was obtained were names and email addresses."), writing "At least they were smart enough to separate the email db from the rest of customer information! — or so they say..."
Tortious? (Score:3)
I wonder if this is something you can sue over. For example, is reusing the same password (as in the case of HBGary) considered negligent?
Re: (Score:2)
Re: (Score:2)
I didn't realize that anyone filled them out with real information. Why would you? To help Kroger track trends and marketing? Forget that, just give me the discount. :P
Re: (Score:3)
If only they would give a discount. Around here when the discount cards rolled out there was an immediate price hike on the regular price to a similar amount as the discount. The net effect being that you weren't saving money with the discount cards, just not being gouged as badly.
Why they were allowed to do that is beyond me, because the customers didn't have much choice given that all the major grocery chains started doing it about the same time and the smaller ones are much more expensive.
Re: (Score:2)
Why they were allowed to do that is beyond me
Because having the government mandate the price of milk sounds like about the worst idea you could possibly implement, especially given that this is a capitalist system?
Because we as a people have decided that as a general rule it is best to let market forces work out the price of milk?
Re: (Score:2)
Milk is a bad example, most of the milk supply in the US is controlled by a very small number of concerns. A couple years back there was a push here to require all dairies to sell their milk to a collective and then require all in state purchases of milk to be done through the distributor. Thankfully it didn't go through, but it was somewhat nerve wracking watching big milk trying to drive out the last competition.
If you thought the telecommunications industry was bad, big milk is worse.
The whole notion tha
Re: (Score:2)
You know, theres a term for "government controlling means of production", and last I checked theres never been an instance of it working out well, ever.
Re: (Score:2)
Re: (Score:2)
Meijer is nice, though while the Target across the street* has a smaller selection, for what it does have it's invariable cheaper.
*Seriously, three out of the four places I've lived, they had a Target either across the street from or right next to the Meijer. Kinda creepy.
Re:Tortious? (Score:4, Insightful)
I didn't realize that anyone filled them out with real information. Why would you? To help Kroger track trends and marketing? Forget that, just give me the discount. :P
Filling them out with fake information is almost as useful for them (assuming you do indeed use the card). Think of it as a click-tracking cookie, but for a supermarket instead of a web site. Sure, it's nice to have all the personal information you can get, but it's still useful without that.
Certain demographic statistics will get screwed up, of course (wow, that 82 year old woman sure loves her beer, Oreos and frozen pizza!). However, a huge reason that discount cards are issued is for statistical information on purchases relative to each other. If you're in a supermarket and you see two seemingly unrelated items next to each other, there's a chance that there's a purchasing correlation.
Re: (Score:3)
Re: (Score:2, Insightful)
Filling them out with fake information is almost as useful for them (assuming you do indeed use the card).
So what? The idea is to protect my privacy, not try to intentionally be a dick to them. I'm glad the fake information I gave them is still useful.
Re: (Score:2)
Re: (Score:2)
the local 'loyalty cards' don't require anything from you. they hand them out and you can take their stupid form, tell them 'I'll do this later' and then just use the card. the most they can get on you is what you buy, but you stay anon.
well, as long as you pay with cash only. doh! when you pay via authenticated means, you can probably guess they then can bind your name to your purchases.
but use of cash and those cards that you don't fill out (at all) are not a bad way to work the system. its trying to
Re: (Score:2)
Because you get free stuff like free turkey for thanksgiving, free pack of burgers for 4th of July, free drinks, etc....
Anybody can find your address anyway.
Just use a throw away email and phone number (Google voice)
Re: (Score:2, Flamebait)
The sad thing is, I'm sure the masses were all going, "Ohhh burn! Take that!", before you replied.
Re: (Score:2)
Since when have the masses read /.?
Re: (Score:2)
Good thing I use cash for just about everything then, isn't it? ;)
Re: (Score:2)
The names and zips that go with my grocery store cards are unrelated to the names on the credit cards I use. It's never a problem.
Re: (Score:2)
Why would I do that?
So you earn the 1-2% your card offers you back on each purchase, that comes at no cost to you if you actually pay your bill each month?
Re: (Score:2)
Is that recent? Because I didn't.
And I periodically exchange cards with friends, acquaintances, people on the street, that sort of thing.
Re: (Score:2)
sibling is right... most times, I don't even have to fill them out, instead feigning time pressures: "I have to be somewhere pretty soon - is it okay if I bring this back?" usually gets me the card with zero information to the store.
Re:considered (Score:2)
That's why I ask sharply if the info is actually required, and when they first try to hedge that it is, I begin cancelling my entire sale at which point they grudgingly admit "well, uh, really it's not, my manager just told me to ask".
Re: (Score:2)
Not really. I've been handed new cards a number of times - they don't care if it's filled out or not. Of course, they'd like it to be, but I never have....even once. Albertson's would give you a card and give you a choice as to whether or not you provided any info. KS is a bit less flexible, but it's not that much of an ordeal to get past that.
Discount cards? They are a farce! (Score:2)
I refuse to play the "discount card" game. When I make a purchase at the local CVS, they ask if I have a discount card. I say "no" and the clerk scans the store copy and I get the discount anyways without giving personal information. Often when going to stores that do not have a "store card", another customer offers their card and the clerk scans that without objection. I have even encountered clerks that have their personal card that they scan. These "discount cards" are a farce!
Re: (Score:2)
Re: (Score:2)
If you do not wish to support the "discount card game", then vote with your
feet. Shop at stores that do not have the cards. If enough people do this,
you will see these "penalty cards" disappear.
Re: (Score:2)
And where would that be?
No grocery store in my area doesn't have these cards.
Re: (Score:2)
Huh, you know, I did the same thing with CVS but I haven't actually used the card. I wonder if it works...
Re: (Score:2)
When filling out those "super saver" card deals I always give them my landline phone number, a throwaway email address, and my name. As a Kroger's shopper, I feel vindicated today. :)
To check their security I always give them the name of my uncle .. Little Bobby Tables. [xkcd.com]
Re: (Score:2)
Is reusing the same password (as in the case of HBGary) considered negligent?
One would hope so. In Europe anyway the data registrars could get pretty snarky if a data controller were to negligent with personal data. Compliance does vary though. My bank does a decent job, while food delivery places tend to be pretty piss-poor. If you have a phone number of someone and a name, and you'd like to find their address, use the local pizza places. Assuming that person orders pizza, chances are if you give the name and number of that personal, the guy on the phone will give you the address.
Re: (Score:2)
English, motherfucker, I don't speak it.
*Been pretty rare to find someone on a pizza line here who won't tell me my address, and I don't even to get sneaky in my questioning.*
Re: (Score:2)
Good FUCKING Grief. (Score:2)
I wonder if this is something you can sue over.
Yes, some lawyer will gin up a "class action" suite to address the irreparable harm that mom, dad, gramps, and Cletus have suffered as a result of the disclosure of their almost certainly widely available email addy - and the fact that grandpa regularly buys extra large lubricated Trojans. And as is standard practice, the lawyer will walk away with 10 or 15 million while the harmed parties will get a 50 cent off anything coupon.
Yes, let's SUE! SUE! SUE! to address this heinous disregard for personal priv
Emails? (Score:1)
I don't show up at Kroger (there aren't any close to where I live), but if I did, they would be hearing from me.
Re: (Score:3)
I don't show up at Kroger (there aren't any close to where I live), but if I did, they would be hearing from me.
And exactly what would you do? Would you rip some 20 year old who is running the office, who has nothing to do with any of this? Would you see the store manager and rip him a new one, when HE has nothing at all to do with what the headquarters does?
Re:Emails? (Score:5, Funny)
You'd be dismayed at how often people actually believe that the guy behind the counter or on the end of a tech support line is the best target for a discussion about corporate policies and general unhappiness with capitalism and assorted laws of physics. The latter came up more than once in tech support. I declined to alter the universe at a fundamental level.
Re: (Score:2)
Re: (Score:3)
You might be surprised about Kroger - they have 17+ banners they do business with. There might not be a Kroger store, but there might be a Fry's, Smith's, Ralph's, Fred Meyer, QFC, or King Soopers.
They are all Kroger.
Names and email addresses? (Score:4, Insightful)
Re: (Score:3, Insightful)
So, they got information that sites like Facebook make completely public anyway? I'm sorry, I guess I'm just all out of unwarranted outrage and fear today. Wake me up when they have credit card numbers, SSNs, or something like my mother's maiden name. You know, stuff that can actually be used for something malicious. All they can do now is send me an email with *gasp* my name in it!
Does that tell you something about this breach, or about the culture surrounding Facebook?
Not everybody wants their online contact info to be an open book. Not everyone on this customer list has a Facebook account. You can join the crowd that lowers the bar on privacy expectations and you will have much company. There will be many millions nodding their heads and agreeing with you and validating your opinion. The part you don't seem to appreciate is that they embrace it voluntarily. Not everyone does.
Re: (Score:2)
True, but the cost of not participating is getting bigger all the time. There's a lot of discounts you just can't get if you don't have a facebook account and good luck with a lot of those contests if you aren't on facebook or twitter.
Fortunately, it hasn't gotten to the point of companies being allowed to advertise just on social networking sites, hopefully somebody will realize that it's fundamentally a bad idea if allowing it comes up for a vote in congress.
Re: (Score:2)
You're doing it wrong if Facebook is by default making your email address completely public, or you're not the kind of person to worry too much anyway about this kind of thing. Why not have a nice cup of tea and wait for the next story to pop out?
Re: (Score:2)
Re: (Score:3)
They are not saying that the only information taken was names and emails. They want to say that such is the case. From what I can tell about notification laws, this is to comply with the law. They have notified customers that their personal data has been stolen. They have not said that the personal information was limited to names and email addresses. A reasonable person may interpret it that way, but i
Re: (Score:3)
Doesn't that kind of require at least three seemingly unfounded assumptions?
1) The assumption that purchasing details were stolen
2) Kroger Co. is lying about what was disclosed (otherwise why should we castigate them for being unable to announce something before it was known)
3) It'll be less damaging to have to make two separate announcements, thus prolonging the media story, than a single announcement covering all of what they currently know
Re: (Score:2)
Epsilon is a company that does mass-market emails. Kroger uses DunnHumby USA for their statistics and market data. They use someone completely different for credit card processing, maintaining PCI compliance.
I'm pretty sure they have the capacity to have different databases, with controlled access to each. They aren't the local fruit stand, they're a Fortune-30 business.
Re: (Score:3)
I am confused how you can say "They are not saying that the only information taken was names and emails" and "They have not said that the personal information was limited to names and email addresses." To me that is pretty much exactly what the sentence that you quoted says: "We want to assure you that the only information that was obtained were names and email addresses."
I could understand saying that it takes a leap of faith to believe that was all that was acquired from the system since from the message
Re: (Score:2)
What it shows is that attacks will continue against just about every major US chain and their *contractors*, because there's a payoff for stealing info. The Kroger incident is one of the ones that we know of; there are probably many more that we have no idea about because they weren't detected.
Corporate security ought to be flawless, and it's not and their contractors should be held to the same high standarrds. This, along with TJMax and any number of breaches is a compelling reason to rethink garnering cus
Re:detected (Score:2)
I dunno - I trust "Joe in IT" more than that. However, the pointy heads are good at rolling stuff under rugs, so even if it was detected it would be instantly classified.
Re: (Score:2)
They have not said that the personal information was limited to names and email addresses.
Yes, they have. The whole "We want to let you know" construct is not a literal construct in modern English; it's simply a redundancy that allows you to open a sentence slowly to avoid sounding curt. When Amazon tells me "We just wanted to let you know that your order has shipped," they're not just sharing their feelings with me, they're let me know that my order has shipped. They wanted to let me know it, and now they're letting me know it.
In this case, the literal usage of those word (trying to tell me
Re: (Score:2)
So, they got information that sites like Facebook make completely public anyway?
So, facebook is supposed to be an example of default expected privacy? God, I hope not.
Re: (Score:3)
Facebook is more like the strange old man offering you free candy and promising there is more in the back of his van.
US Bank Too (Score:2)
Re: (Score:2)
Why? (Score:1)
Why would anyone give their email address to a grocery retailer?
Re: (Score:3)
There are several reasons. I am one of those who gave my info to Kroger, and doing so has let me save some money, partly because I also did the same with Giant Eagle (the other large grocery store chain in my area.) I pass both of them pretty much every day. Each has good weekly deals, and they both send e-mails of the deals the day before they begin. It makes it easy for me to compare and see which store to stop by in a given week and what to pick up where. They are the same ad fliers that are in the
Re: (Score:2)
Yeah, the recall stuff is nice. Sometimes.
I bought some ground beef from Kroger using the card. I cooked it and ate it. It was yummy.
A couple of weeks later, I bought something else from Kroger, and
Re: (Score:2)
Well, if you ate it and didn't get sick, then it wasn't actually bad, was it? I'm not sure what you're complaining about.
And around here, all the grocery stores have the silly little cards. I don't really have a choice if I want to eat. And I like eating.
I have generally found Kroger to be the best of the chains here, every time I've been to the others, I've gotten rotten fish - that's never happened at Kroger. The employees are generally friendly, and seem to be quite competent.
And I feel better shoppi
Re: (Score:2)
Think of the Epsilons.
Tracked??!!? (Score:2)
I just had a conversation with guy at a gas station as to why I didn't have one of their rewards cards. He kept assuring me that I wouldn't be tracked and yet I just don't believe that. For the record, assuming this list is for their "Plus Cards", we are likely on that list buuut only under a bogus name...or maybe I found a card that someone lost. Regardless, if it didn't save me $40 every time I went to the store, I wouldn't have it; saving $3 at a gas station every 3 weeks isn't enough of a reward to even
Re: (Score:2)
Unfortunately, nobody has any idea where *else* this data winds up. What would stop a company from selling it to other commercial interests? Any time you provide identifying information, it should be a (sad) expectation that it will be prostituted in some manner by the company in its possession. Bottom line? Protect yourself.
Re: (Score:2)
I think you missed my point, I wasn't talking about Kroger in terms of the "dimes"; I was talking about some of our local gas stations with their "rewards cards". I *definitely* save a lot of $$$ with Kroger's card which is why I still have it.
Did Kroger use same service as Brookstone, others? (Score:5, Interesting)
I got the e-mail from Kroger within three hours of receiving a very similar e-mail from Brookstone. Although not identical, the two e-mails are quite similar. Foes anyone know who this e-mail service provider is and what other companies may have been affected by this? It is nice to see Kroger and Brookstone act quickly to let their customers know the extent of the data that was compromised, but if this is the fault of a common e-mail service provider I would think that many more than just two companies were affected by this, and interesting to see how different companies react to the same issue. It is also good to see that the third party e-mailer is given only the base details necessary for them to perform their function and are not provided with street addresses or other unnecessary personally identifiable information.
++++++++++++Important E-Mail Security Alert++++++++++++
Dear Valued Brookstone Customer,
On March 31, we were informed by our e-mail service provider that your e-mail address may have been exposed by unauthorized entry into their system. Our e-mail service provider deploys e-mails on our behalf to customers in our e-mail database.
We want to assure you that the only information that may have been obtained was your first name and e-mail address. Your account and any other personally identifiable information are not stored in this system and were not at risk.
Please note, it is possible you may receive spam e-mail messages as a result. We want to urge you to be cautious when opening links or attachments from unknown third parties.
In keeping with best industry security practices, Brookstone will never ask you to provide or confirm any information, including credit card numbers, unless you are on our secure e-commerce site, Brookstone.com.
Our service provider has reported this incident to the appropriate authorities.
We regret this has taken place and for any inconvenience this may have caused you. We take your privacy very seriously, and we will continue to work diligently to protect your personal information.
Sincerely,
Brookstone Customer Care
Re: (Score:2)
Apparently TiVo also used the same service, because I just got an email from them about names and email addresses being exposed.
Hm (Score:1)
Who else is using Epsilon? (Score:2)
Re: (Score:2)
That's a serious problem. Some companies are more transparent about it than others are, but a financial services firm can have quite a few contractors doing the actual work. If any of them lose a laptop or get cracked, your information can get leaked all over the place.
But, whenever privacy regulations come up for debate they typically get shouted down as "nanny state politics," discouraging personal responsibility, being socialist or causing people to lose their jobs.
Re: (Score:2)
So Kroger's customer list is stolen from Epsilon! I wonder what other companies are using Epsilon to manage their customer list. So we need to identify who is managing the client list of Epsilon. If that site is known to be hackable .. hee... hee... :-)
I found an email this morning from Usbank telling me that they use Epsilon and that my email address was among the stolen files. I did a Google search and apparently Chase also uses the service.
This isn't good.
Re: (Score:2)
So far I've seen the following brands/companies affected:
McKinsey, Brookstone, U.S. Bank, Capital One, Citibank, JP Morgan Chase, Kroger, New York & Co, and Tivo.
Some additional clients of theirs include Best Buy, Fender, TIAA-CREF, MD Anderson, Visa, Kraft, Marriott International, and Johnston & Murphy/Genesco.
I expect that client list to shrink as more notifications go out.
Re: (Score:2)
Here's the press release:
...
...
...
http://www.epsilon.com/News%20&%20Events/Press_Releases_2011/Epsilon_Notifies_Clients_of_Unauthorized_Entry_into_Email_System/p1057-l3 [epsilon.com]
Poking around on their site, I found this (partial) list of clients:
Americaâ(TM)s Gardening Resource
KeyBank
Staples
TIAA-CREF
Keybank and TIAA-CREF? I bet they have more interesting information than Kroger.
Re: (Score:2)
I don't have a car, so I never dealt with Fender.
But I bet you own a guitar, you brownie eating, CD copying, community gardening, union joining hippie! Fender's a guitar company.
Fake Info (Score:1)
Re: (Score:2)
Easy enough to avoid.
Fixed it for you .. (Score:2)
"... notified customers today of a breach of the database that stores its customers' fake names and fake email addresses."
There, fixed it for you.
US Bank uses Epsilon, too (Score:2)
I received a similar notification from US Bank today with regards to my linuxfund.org credit card. They called out Epsilon as the source of the leak, and claim no financial data was compromised.
---
As a valued U.S. Bank customer, we want to make you aware of a situation that has occurred related to your email address.
We have been informed by Epsilon Interactive, a vendor based in Dallas, Texas, that files containing your email address were accessed by unauthorized entry into their computer system. Epsilon h
Hackers? (Score:2)
Kroger has no idea who accessed their email system, let alone whether or not they were hackers. Seems more likely spammers, or perhaps fraudsters, would be interested in gaining accesses to customer names and email addresses.
In fact the word hacker appears nowhere in the article or summary. What is your major malfunction, Timothy?
Kroger should be required to stop collecting info (Score:2)
The punishment for the leak should be that Kroger has to abandon any attempts to collect or store information about their customers.
They're a grocery store. They don't need that info.
Re: (Score:3)
Re: (Score:2)
You do realize those aren't discounts, right?
They've just marked up the price for everybody without the card.
Third party (Score:4, Insightful)
Oh, oh, I know! Because they don't care about their customers data, and want the option to sue + put the blame on someone if something goes wrong.
Re: (Score:3)
Re: (Score:3)
Or maybe it's cheaper/more efficient to hire a third party so Kroger can concentrate on their actual business - selling groceries.
Re: (Score:3)
Take a deep breath there, cowboy.
It makes sense to offload e-mail delivery to a dedicated party. SMTP best practices, RBLs, proper headers, server capacity, bounce handling are essential to responsible e-mail campaigns.
Almost no business has the intimate knowledge required to operate such a thing in-house. The BEST thing to do it outsource it to a mailing list provider. And the best practice op top of that is to just copy name + email address to the third party, as they have done. And after the breach they
Re: (Score:2)
Re: (Score:2)
So, exactly what problem does implementing cryptographic mail signatures solve, anyway?
If you're planning on rejecting mail from signatures you don't recognize, you can just whitelist email addresses. We already can do that, signed messages don't make any difference.
If you just want a valid signature, that won't work. Most spam today is sent from compromised machines, and if the spammer already has control of the machine, it's trivial to use the key on the machine to sign the spam.
Re: (Score:2)
they use a third-party to manage it because they're a grocery store
They're not a grocery store. They're a chain of grocery stores with a corporate head office, their own IT staff, their own marketing, etc. Things like customer data should be handled in-house, but some pointy haired boss decided that the risk(data loss/leak) to benefit(save $$) ratio was worth it. For all they know, this might be corporate espionage, and Piggly Wiggly might have Kroger's customer list complete with emails now. The best use that Piggly Wiggly can make of this is to start advertising low,
Good Luck (Score:3)
Spamming Brent Spiner, Johnny Bravo and Linus Torvalds!
There is no actual verification on those little forms. Though I did get a strange look for the Johnny Bravo one I submitted.
One of my friends even made one with the name Edgar Poe and he used this card specifically to purchase beer.
nancy drew's lost email (Score:2)
I didn't get the notification at my email address: nancydrew@example.com. Does that mean my data wasn't stolen?
What should one do when email is compromised? (Score:2)
I always set up a separate email account for every vendor I deal with. A surprising number of those email addresses end up getting into the hands of spammer/scammers. I always notify the companies that someone has compromised their email database, but only once have I received a response. It's no big deal for me to just divert all future email to that account to dev/null, but are there US federal laws that cover this, and is there any federal agency that should be notified so that these companies take secur
Sale? (Score:2)
Re: (Score:2)
That's kind of strange, the Smith's (local Kroger chain) in my area is always a lot cheaper than everything else. I wonder if they leave the prices up to the individual chains?
Of course, I've always wondered if the non-card prices are inflated and the card prices are what you'd normally pay. Seems like something a large company like that would do, at least.
Re: (Score:2)
I will say they have good prices on milk sometimes, with the card of course. But things like cookies, crackers, soda and othe
Of course! (Score:2)
Because a grocery store needs to hold on to customer information! How else can they... uh... well, er... PROFIT?
So what do I need to do to convince a corporation to get rid of all customer data they have on me? Oh... wait... nevermind.
US Bank and JPM Also Used Epsilon. (Score:2)
http://www.boiseweekly.com/CityDesk/archives/2011/04/02/chase-us-bank-customers-warned-of-e-mail-security-breach [boiseweekly.com]
I got basically the same message from U.S. Bank (Score:2)
U.S. Bank has the loan for my truck. I have no other dealings with them. Just got an email about the Epsilon information being stolen, supposedly only our email address (my wife's, actually). They apparently contract with Epsilon for their email services. This outsourcing of customer management always bothers me. It seems you are never dealing with a single company anymore; any commerce involves spreading your information out to a collective of "responsible" parties, regardless of appearances otherwise
This is affecting lots of companies (Score:2)
My wife got an email from TiVo, and I got an email from some branch of Disney vacation sales (no surprise -- we took a trip to DisneyWorld like 5 years ago and they still have my email address).
This is affecting a lot of companies.
Re: (Score:3)
So the Jewish conspiracy of reptile overlords in charge of Kroger can send out adverts that will in turn give them enough revenue to fund their NWO?
Re: (Score:2)
Re: (Score:3)