Grocery giant Kroger sent an email to current and former employees today indicating that their Social Security numbers and dates of birth may be compromised.
The extent of the breach is not yet known, according to the email. It is believed the employee information was accessed via a security breach at Equifax.
“As you may know, Equifax, which provides online access to electronic W-2 forms for Kroger and other groups, was a target of a security incident,” the email states. “While the investigation is ongoing, it appears that unknown individuals accessed the W-2Express website using default login information based on Social Security numbers (SSN) and dates of birth, which we believe were obtained from some other source, such as a prior data breach at other institutions. We have no indication that Kroger’s systems have been compromised.”
The grocery giant has a total of about 400,000 employees and nearly $110 billion in sales, according to its website.
In an unrelated security breach, Kroger’s client data was compromised in 2011. It happened when unauthorized entry was gained to a client name and email database managed by a third party, Epsilon. No other personally-identifiable information was accessed, SecurityWeek reported.
Here is the text entire text of the email about the breach.
“As you may know, Equifax, which provides online access to electronic W-2 forms for Kroger and other groups, was a target of a security incident. While the investigation is ongoing, it appears that unknown individuals accessed the W-2Express website using default login information based on Social Security numbers (SSN) and dates of birth, which we believe were obtained from some other source, such as a prior data breach at other institutions. We have no indication that Kroger’s systems have been compromised.
As soon as we discovered the security concern, we began working closely with Equifax, the Internal Revenue Service (IRS), the FBI and top security experts to understand what happened. We believe individuals gained access to some associates’ electronic 2015 W-2 forms and may have used the information to file tax returns in their names to claim a refund. You will know if you had a fraudulently-filed tax return if the Internal Revenue Service (IRS) notifies you.
Kroger is working with Equifax and the authorities to determine who is affected and restore secure access to W-2Express. At this time, we believe you are among our current and former Kroger associates using the default PIN in the W-2Express system. This does not necessarily mean your W-2 was accessed as part of this security incident. We are still working to identify which individuals’ information was accessed.
If you are affected, you will receive additional notifications with more information. Credit monitoring services will also be provided for affected current and former associates whose information was accessed.
As a precautionary measure, we worked with Equifax to reset the default PINs needed to access the W-2Express site. Your new default PIN is the last four numbers of your Kroger EUID and your 4-digit birth year. To further safeguard your personal information, please visit www.w2express.com as soon as possible to change and create your own PIN.
If you do not know your Kroger EUID and you are a current Kroger associate, please contact your manager or local HR representative. If you are a former associate, please contact the Kroger Support Center at 1-800-952-8889 and say “W2” when prompted.
If you have been contacted by the IRS about a fraudulently-filed tax return and think you may have been affected, please email ReportMyW2@kroger.com and share your first name, last name and the location where you work now or previously worked (office, store number, plant or distribution center) so Kroger can work with Equifax to advocate on your behalf.
In addition, the IRS recommends the following initial steps to notify authorities: 1) respond to the IRS notice by calling the number provided, contacting the IRS Identity Protection Specialized Unit at 1-800-908-4490, or going to www.IDVerify.irs.gov; 2) file a report with your local police department; and 3) file a complaint with the Federal Trade Commission. Additional information is included in the attached Q&A.
Please find additional information in the attached Questions & Answers.
We are disappointed this happened. We will continue to update you as more information becomes available.”
Employee relations are already strained, as Kroger faces a lawsuit over a pension fund for workers in the nation’s central states.
On April 25, members of Kroger’s Central States Pension Fund filed a lawsuit in U.S. District Court for the Northern District of Illinois to protest impending cuts to the fund. Participating employees include warehouse workers from Michigan, Kansas, and Illinois, Cincinnati.com reported.
Administrators could cut participating retiree benefits by anywhere from 30 percent to 90 percent. The cuts are made possible by a law signed by President Obama last year, according to Cincinati.com. The Central States Pension Fund for Kroger could run out of money by 2026.
[AP Photo/David J. Phillip, File]