Slashdot Mirror
Hackers Steal Kroger's Customer List
wiredmikey writes "Kroger, the nation's largest traditional grocery retailer with more than 338,000 associates, notified customers today of a breach of the database that stores its customers' names and email addresses. The company said the incident occurred at Epsilon, the third-party vendor Kroger uses to manage its customer email database." Reader SatanClauz
SatanClauz quotes the email that went out to Kroger customers ("We were notified and became aware of unauthorized access to our email list by someone outside our company. We want to assure you that the only information that was obtained were names and email addresses."), writing "At least they were smart enough to separate the email db from the rest of customer information! — or so they say..."
I wonder if this is something you can sue over. For example, is reusing the same password (as in the case of HBGary) considered negligent?
These days, email addresses are about as valuable as anything. Spam, phishing scams, etc. are all capable of causing infinite problems for people.
I don't show up at Kroger (there aren't any close to where I live), but if I did, they would be hearing from me.
Social Engineering Expert: Because there is no patch for stupidity.
So, they got information that sites like Facebook make completely public anyway? I'm sorry, I guess I'm just all out of unwarranted outrage and fear today. Wake me up when they have credit card numbers, SSNs, or something like my mother's maiden name. You know, stuff that can actually be used for something malicious. All they can do now is send me an email with *gasp* my name in it!
today is spelling optional day.
I just got an email from US Bank this morning as well about the data breach with Epsilon. I wonder how many more companies are affected by this one third-party company.
Give a man a fire and he'll be warm for a day. But light a man on fire and he'll be warm for the rest of his life.
Why would anyone give their email address to a grocery retailer?
I just had a conversation with guy at a gas station as to why I didn't have one of their rewards cards. He kept assuring me that I wouldn't be tracked and yet I just don't believe that. For the record, assuming this list is for their "Plus Cards", we are likely on that list buuut only under a bogus name...or maybe I found a card that someone lost. Regardless, if it didn't save me $40 every time I went to the store, I wouldn't have it; saving $3 at a gas station every 3 weeks isn't enough of a reward to even bother filling out their "application". We call that "Jumping over dollars to pick up dimes"
0x09F911029D74E35BD84156C5635688C0
I got the e-mail from Kroger within three hours of receiving a very similar e-mail from Brookstone. Although not identical, the two e-mails are quite similar. Foes anyone know who this e-mail service provider is and what other companies may have been affected by this? It is nice to see Kroger and Brookstone act quickly to let their customers know the extent of the data that was compromised, but if this is the fault of a common e-mail service provider I would think that many more than just two companies were affected by this, and interesting to see how different companies react to the same issue. It is also good to see that the third party e-mailer is given only the base details necessary for them to perform their function and are not provided with street addresses or other unnecessary personally identifiable information.
++++++++++++Important E-Mail Security Alert++++++++++++
Dear Valued Brookstone Customer,
On March 31, we were informed by our e-mail service provider that your e-mail address may have been exposed by unauthorized entry into their system. Our e-mail service provider deploys e-mails on our behalf to customers in our e-mail database.
We want to assure you that the only information that may have been obtained was your first name and e-mail address. Your account and any other personally identifiable information are not stored in this system and were not at risk.
Please note, it is possible you may receive spam e-mail messages as a result. We want to urge you to be cautious when opening links or attachments from unknown third parties.
In keeping with best industry security practices, Brookstone will never ask you to provide or confirm any information, including credit card numbers, unless you are on our secure e-commerce site, Brookstone.com.
Our service provider has reported this incident to the appropriate authorities.
We regret this has taken place and for any inconvenience this may have caused you. We take your privacy very seriously, and we will continue to work diligently to protect your personal information.
Sincerely,
Brookstone Customer Care
Why am I not surprised?
Super cool handle, bro
So Kroger's customer list is stolen from Epsilon! I wonder what other companies are using Epsilon to manage their customer list. So we need to identify who is managing the client list of Epsilon. If that site is known to be hackable .. hee... hee... :-)
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
Fortunately, my Kroger Plus card application was littered with fake information!
Same breach hit US Bank.
Sigh
I've got a similar email from US Bank regarding their customer emails and Epsilon:
As a valued U.S. Bank customer, we want to make you aware of a situation that has occurred related to your email address.
We have been informed by Epsilon Interactive, a vendor based in Dallas, Texas, that files containing your email address were accessed by unauthorized entry into their computer system. Epsilon helps us send you emails about products and services that may be of interest to you.
We want to assure you that U.S. Bank has never provided Epsilon with financial information about you. For your security, however, we wanted to call this matter to your attention. We ask that you remain alert to any unusual or suspicious emails.
Please remember that U.S. Bank will never request information such as your personal ID, password, social security number, PIN or account number via email. For your safety, never share this or similar information in response to an email request at any time. To learn more about recognizing online fraud issues, visit:
http://www.usbank.com/cgi_w/cfm/about/online_security/online_fraud.cfm
In addition, if you receive any suspicious looking emails, please tell us immediately.
Call U.S. Bank Customer Service at 800-US-BANKS (800-872-2657).
The security of your information is important to us, and we apologize for any inconvenience this may have caused you. As always, if you have any questions, or need any additional information, please do not hesitate to contact us.
Makes me wonder ...
"... notified customers today of a breach of the database that stores its customers' fake names and fake email addresses."
There, fixed it for you.
No sig for you. YOU GET NO SIG!
So the Jewish conspiracy of reptile overlords in charge of Kroger can send out adverts that will in turn give them enough revenue to fund their NWO?
-- Using the preview button since 2005
If I were to take a stab in the dark answer to this question it would be for two purposes, the first would be to send you notices and perhaps coupons. The second would be for cross referencing with external data sources. I would guess that the vast majority of email users in the wild use the same email address for everything and having that data to cross reference your Kroger shopping profile with your Border's Books shopping profile could lead to some interesting data junctions. User is buying more fat free foods over the past 6 months and they have also started buying healthy cooking books. This could lead to some nicely targeted advertisements for weight loss or exercise programs.
I wouldn't be the least bit surprised to find that marketing companies are behind the break-ins.
Do what thou wilt shall be the whole of the Law - Aleister Crowley
Since retailers handle credit card data, PCI-DSS compliance requires that their networks be locked down and audited. That's why you rarely see retailer corporate networks invaded anymore. Mass marketing companies do not have any security requirements that I am aware of. Hopefully right now some big companies are questioning the security practices of their outsourced marketing firms. These companies need to be required to undergo regular third party security audits, and the retailers using them need to put stiff penalties for failing the audit into their contracts.
I do about 90 percent of my food shopping at a local member owned co-op.
They have my information because I am a member-owner (we all purchase shares and get a end-of-year dividend).
At the checkout, we give them our membership number. There is no price difference between members and non-members. The dividend we get is based on how much you spend.
This is a member owned co-op. The member owners elect a board of directors each year from our own ranks.
There is no outside ownership. Our member list is kept confidential within the co-op itself.
The only 'spam' I get is announcements of membership meetings and other major events at the co-op. By major, I don't mean every little group that uses our community room.
Most Respectfully Yours Mark Allyn Bellingham, Washington
I received a similar notification from US Bank today with regards to my linuxfund.org credit card. They called out Epsilon as the source of the leak, and claim no financial data was compromised.
---
As a valued U.S. Bank customer, we want to make you aware of a situation that has occurred related to your email address.
We have been informed by Epsilon Interactive, a vendor based in Dallas, Texas, that files containing your email address were accessed by unauthorized entry into their computer system. Epsilon helps us send you emails about products and services that may be of interest to you.
We want to assure you that U.S. Bank has never provided Epsilon with financial information about you. For your security, however, we wanted to call this matter to your attention. We ask that you remain alert to any unusual or suspicious emails.
---
Scratched Emulsion
TFA blames Epsilon for the breach, and Brookstone also uses Epsilon:
http://www.epsilon.com/Brookstone/p430-l2
So, I'd guess the answer is 'yes' to both questions.
Kroger has no idea who accessed their email system, let alone whether or not they were hackers. Seems more likely spammers, or perhaps fraudsters, would be interested in gaining accesses to customer names and email addresses.
In fact the word hacker appears nowhere in the article or summary. What is your major malfunction, Timothy?
I don't care why you're posting AC
I refuse to play the "discount card" game. When I make a purchase at the local CVS, they ask if I have a discount card. I say "no" and the clerk scans the store copy and I get the discount anyways without giving personal information. Often when going to stores that do not have a "store card", another customer offers their card and the clerk scans that without objection. I have even encountered clerks that have their personal card that they scan. These "discount cards" are a farce!
I realize Walmart has this practice of calling its employees "associates" instead of employees, but when did that enter common usage to describe anyone employed by a company?
This is essentially a business newspeak word designed to control thought. It implies a false increased valuation by simply using a nicer word for employees. Corporations can use it all they like, but that doesn't mean we have to adopt this usage in common language.
That's why I ask sharply if the info is actually required, and when they first try to hedge that it is, I begin cancelling my entire sale at which point they grudgingly admit "well, uh, really it's not, my manager just told me to ask".
My first Journal Entry ever, in 8 years! http://slashdot.org/journal/365947/aphelion-scifi-fantasy-horror-poetry-webzine
Yes, in a word. Radio Shack and Kroger have Albert DeSalvo at Fort Leavenworth KS is what I give them all.
It is surprising how many convicted felons are in their database !!!!
I dunno - I trust "Joe in IT" more than that. However, the pointy heads are good at rolling stuff under rugs, so even if it was detected it would be instantly classified.
My first Journal Entry ever, in 8 years! http://slashdot.org/journal/365947/aphelion-scifi-fantasy-horror-poetry-webzine
The punishment for the leak should be that Kroger has to abandon any attempts to collect or store information about their customers.
They're a grocery store. They don't need that info.
I have a (insert large shopping chain name) discount card. I was in line and the line was busy and the cashier asked me if I wanted a card. So he activated it, scanned it and gave it to me and asked me to fill in the info on the little folder and give it back to the store. I never did that, so my card is nicely anonymous.
So they can notify you when your email address gets stolen, of course! Didn't think that one through, didja?
SIGSEGV caught, terminating
wait... not that kind of sig.
"third-party vendor Kroger uses to manage its customer "... why the hell are they using a third-party anything to manage THEIR customer data?
Oh, oh, I know! Because they don't care about their customers data, and want the option to sue + put the blame on someone if something goes wrong.
Who is 'the nation'? This is pretty sloppy journalism for a World-wide read news service...
The only reason to use them is for gas points or other such rewards. I occasionally forget my discount card and use the store card, but at any major grocery store that gives gas points, I've found it worth it to have a card.
Social Engineering Expert: Because there is no patch for stupidity.
Spamming Brent Spiner, Johnny Bravo and Linus Torvalds!
There is no actual verification on those little forms. Though I did get a strange look for the Johnny Bravo one I submitted.
One of my friends even made one with the name Edgar Poe and he used this card specifically to purchase beer.
"You should always go to other people's funerals; otherwise, they won't come to yours." -- Yogi Berra
I wonder if this is something you can sue over.
Yes, some lawyer will gin up a "class action" suite to address the irreparable harm that mom, dad, gramps, and Cletus have suffered as a result of the disclosure of their almost certainly widely available email addy - and the fact that grandpa regularly buys extra large lubricated Trojans. And as is standard practice, the lawyer will walk away with 10 or 15 million while the harmed parties will get a 50 cent off anything coupon.
Yes, let's SUE! SUE! SUE! to address this heinous disregard for personal privacy of your disposable Hotmail account!
Kruger is "The Man", FUCK The Man! Stick it to The Man! SUE! SUE! SUE!
If you want news from today, you have to come back tomorrow.
The punishment for the leak should be that Kroger has to abandon any attempts to collect or store information about their customers.
They're a grocery store. They don't need that info.
Why should they be forced to do that? It's not Kroger's fault in the first place, it's Epsilon who made the mistake.
I didn't get the notification at my email address: nancydrew@example.com. Does that mean my data wasn't stolen?
I always set up a separate email account for every vendor I deal with. A surprising number of those email addresses end up getting into the hands of spammer/scammers. I always notify the companies that someone has compromised their email database, but only once have I received a response. It's no big deal for me to just divert all future email to that account to dev/null, but are there US federal laws that cover this, and is there any federal agency that should be notified so that these companies take security more seriously?
My entire life experience with that place is a fucking headache
Cant find a parking spot cause some "designer" made the place all artsy and then sucked up 2/3s of it with a dumb ass gas station
Oh its 12 outside and dumping sleet, cant fucking walk on the sidewalk cause they fortified it with shit you will never ever buy, watch out for traffic
Jumping over the mountain of fortified crap, soaked in ice nearly ran over by cars you go in to the wonderful smell of garbage and nasty looking carts, picking one that is the least covered in green sticky shit (its called a hose, use it once in a while)
walk in to find out you cant go anywhere cause there is so much shit by the in the isles you have exactly 18 inches from a display and either another display or a fucking post and if one person stops your stuck
garbage bags in the middle of baking supplies, pet foot touching roach poison, shit meat selection, play their stupid card game, understaffed registers (and god help you if you ask for a pack of smokes) I would rather staple my tongue than step foot in one
I'm a Kroger customer as it's right down the street. But I have received nothing from Kroger. No warning, no nothing. I am not a a happy camper.
I'm old, not dead. Well that's my 2 cents worth, your mileage may vary. I say what I think, not what you want to hear.
I just got an e-mail from US Bank stating the same and that I should be aware of suspicious e-mails, etc. blah blah blah. I wonder how wide spread this is going to eventually end up?
The E-mail:
As a valued U.S. Bank customer, we want to make you aware of a situation that has occurred related to your email address.
We have been informed by Epsilon Interactive, a vendor based in Dallas, Texas, that files containing your email address were accessed by unauthorized entry into their computer system. Epsilon helps us send you emails about products and services that may be of interest to you.
We want to assure you that U.S. Bank has never provided Epsilon with financial information about you. For your security, however, we wanted to call this matter to your attention. We ask that you remain alert to any unusual or suspicious emails.
Please remember that U.S. Bank will never request information such as your personal ID, password, social security number, PIN or account number via email. For your safety, never share this or similar information in response to an email request at any time. To learn more about recognizing online fraud issues, visit:
http://www.usbank.com/cgi_w/cfm/about/online_security/online_fraud.cfm
In addition, if you receive any suspicious looking emails, please tell us immediately.
Call U.S. Bank Customer Service at 800-US-BANKS (800-872-2657).
The security of your information is important to us, and we apologize for any inconvenience this may have caused you. As always, if you have any questions, or need any additional information, please do not hesitate to contact us.
It would be nice is these discount card at Krogers actually gave you a discount. All it is, is the normal price at other stores that don't have this discount card scam running. You'd think if they are selling info and making money on it, then they could actually give a decent price on items, but as far as Krogers goes, they are WAY over priced on many, many items. At least the ones in my area are.
Because a grocery store needs to hold on to customer information! How else can they... uh... well, er... PROFIT?
So what do I need to do to convince a corporation to get rid of all customer data they have on me? Oh... wait... nevermind.
"I am an Adept of Tantric VAX."
I worked for a huge US mutual fund company that needed to rewrite its legacy systems quickly. So management all the way up decided to send our code and production data to India to work it (hey, it was a bonded company over there.) This was names, account numbers, balances, trade histories, SSNs, addresses, DOB, bank account numbers, beneficiaries, etc of 7 million people. They ended up obfuscating the data, but only when the IT programmers at the low end of the totem pole balked.
The executives certainly didn't want to hear it because the project got delayed, deadlines were affected, executive bonuses were based on those deadlines....
Who do you think is protecting the data? It sure wasn't the leadership. And they also had layoffs there and one of the data security guys laughed and told me they watched tons of data get downloaded when layoffs happened. This was one of the top 7 mutual fund companies in the US. Bottom line, the executives are in it for 5 years and better not miss a project deadline on their watch because they want to look good going off to the next Fortune 500 company. Sarbanes Oxley documentation better not show any anomalies like programmer backdoors to the code - the auditors are clueless anyway, so just whip some stuff off that looks good and confuses them enough to stop asking for more.....
Is anyone seriously surprised that their data gets compromised anymore? C'mon.
Kroger's mistake is using Epsilon. So Kroger's mistake led to email accounts being released.
Until you pull up to the gas pump and get $.30 off for 12 gallons. Your tin hat is costing you money.
If I used a sig over again, would anyone notice?
Notifications from US Bank and JPM have also gone out.
http://www.boiseweekly.com/CityDesk/archives/2011/04/02/chase-us-bank-customers-warned-of-e-mail-security-breach
If I wore your tin hat, it would cost me $1,000 a year in discounts from Kroger. But I don't wear the hat, I take the cash.
If I used a sig over again, would anyone notice?
I received an email just a few minutes ago from TiVo saying the same thing as the Kroger one, so does TiVo outsource their customer data to this company too?
If you do not wish to support the "discount card game", then vote with your
feet. Shop at stores that do not have the cards. If enough people do this,
you will see these "penalty cards" disappear.
And where would that be?
No grocery store in my area doesn't have these cards.
I just got an email from US Bank, too:
As a valued U.S. Bank customer, we want to make you aware of a situation that has occurred related to your email address.
We have been informed by Epsilon Interactive, a vendor based in Dallas, Texas, that files containing your email address were accessed by unauthorized entry into their computer system. Epsilon helps us send you emails about products and services that may be of interest to you.
We want to assure you that U.S. Bank has never provided Epsilon with financial information about you. For your security, however, we wanted to call this matter to your attention. We ask that you remain alert to any unusual or suspicious emails.
Please remember that U.S. Bank will never request information such as your personal ID, password, social security number, PIN or account number via email. For your safety, never share this or similar information in response to an email request at any time. To learn more about recognizing online fraud issues, visit:
http://www.usbank.com/cgi_w/cfm/about/online_security/online_fraud.cfm
In addition, if you receive any suspicious looking emails, please tell us immediately.
Call U.S. Bank Customer Service at 800-US-BANKS (800-872-2657).
The security of your information is important to us, and we apologize for any inconvenience this may have caused you. As always, if you have any questions, or need any additional information, please do not hesitate to contact us.
Of course I was using a disposable email address, so this won't affect me too much. But, the incompetence still concerns me. I might cancel my bank account and go somewhere else, because US Bank didn't state that they were dropping Epsilon.
Got a very similar e-mail from US B ank
----
As a valued U.S. Bank customer, we want to make you aware of a situation that has occurred related to your email address.
We have been informed by Epsilon Interactive, a vendor based in Dallas, Texas, that files containing your email address were accessed by unauthorized entry into their computer system. Epsilon helps us send you emails about products and services that may be of interest to you.
We want to assure you that U.S. Bank has never provided Epsilon with financial information about you. For your security, however, we wanted to call this matter to your attention. We ask that you remain alert to any unusual or suspicious emails.
Please remember that U.S. Bank will never request information such as your personal ID, password, social security number, PIN or account number via email. For your safety, never share this or similar information in response to an email request at any time. To learn more about recognizing online fraud issues, visit:
http://www.usbank.com/cgi_w/cfm/about/online_security/online_fraud.cfm
In addition, if you receive any suspicious looking emails, please tell us immediately.
Call U.S. Bank Customer Service at 800-US-BANKS (800-872-2657).
The security of your information is important to us, and we apologize for any inconvenience this may have caused you. As always, if you have any questions, or need any additional information, please do not hesitate to contact us.
Apparently TiVo also used the same service, because I just got an email from them about names and email addresses being exposed.
and per an e-mail from USBank....they got customer's E-mail addresses (i am sure that is not all they got). I wonder if these children at epsilon have ever heard of a WAF or even perhaps IDS/IPS?
U.S. Bank has the loan for my truck. I have no other dealings with them. Just got an email about the Epsilon information being stolen, supposedly only our email address (my wife's, actually). They apparently contract with Epsilon for their email services. This outsourcing of customer management always bothers me. It seems you are never dealing with a single company anymore; any commerce involves spreading your information out to a collective of "responsible" parties, regardless of appearances otherwise. Then, when problems arise, they have a 3rd party to point fingers at. If this had not happened, I probably never would have heard of "Epsilon".
You know, you can get one of those cards most places without giving them any personal information, like an email address.
You pretty much never have to give a retailer personal information. When I buy something and I'm asked for a phone number, for example, I just say "no." It works every time, and I've never been refused service (although doing so is apparently uncommon enough that the occasional clerk has to call a manager over to ask how to process the order).
I use a card for grocery shopping, and I tend to save about 15-30%, depending upon what sales are going on (my wife checks the store's website for sales when making the shopping list). But it their system's were compromised I wouldn't care, because they don't have any information on me. I'm just a number to them, and that's how I like it.
Why people give information to retailers is beyond me. Every time I go to a Borders they ask if I want to be on their email list. Why would I give them my email address? Despite all of the claims by marketers and "high-tech start-ups," I don't particular like targeted advertising.
>Why people give information to retailers is beyond me.
They don't care. They really, really don't care. It doesn't occur to them that there is any problem.
-fb Everything not expressly forbidden is now mandatory.
I really wonder why these guys keep database if they really can not protect it, there must be some policy to put a hefty fine on such organisations who do such gross negligence.
You do realize those aren't discounts, right?
They've just marked up the price for everybody without the card.
As a valued U.S. Bank customer, we want to make you aware of a situation that has occurred related to your email address.
We have been informed by Epsilon Interactive, a vendor based in Dallas, Texas, that files containing your email address were accessed by unauthorized entry into their computer system. Epsilon helps us send you emails about products and services that may be of interest to you.
We want to assure you that U.S. Bank has never provided Epsilon with financial information about you. For your security, however, we wanted to call this matter to your attention. We ask that you remain alert to any unusual or suspicious emails.
Please remember that U.S. Bank will never request information such as your personal ID, password, social security number, PIN or account number via email. For your safety, never share this or similar information in response to an email request at any time. To learn more about recognizing online fraud issues, visit:
http://www.usbank.com/cgi_w/cfm/about/online_security/online_fraud.cfm
In addition, if you receive any suspicious looking emails, please tell us immediately.
Call U.S. Bank Customer Service at 800-US-BANKS (800-872-2657).
The security of your information is important to us, and we apologize for any inconvenience this may have caused you. As always, if you have any questions, or need any additional information, please do not hesitate to contact us.
My wife got an email from TiVo, and I got an email from some branch of Disney vacation sales (no surprise -- we took a trip to DisneyWorld like 5 years ago and they still have my email address).
This is affecting a lot of companies.
Huh, you know, I did the same thing with CVS but I haven't actually used the card. I wonder if it works...
It's better to vote for what you want and not get it than to vote for what you don't want and get it.
- E. Debs
@ Animats--
Have you ever run a business before. I would venture a guess to say NO. The more information ANY company has about its customers purchasing habits the better. It enables them to market and cater to the needs of each customer on a personalized level. Why do you think so many businesses use "store cards". In the end, if you use Credit Cards, especially if it is the same one all the time, a company could track your purchasing habits. They want to do anything they can to convince you that they have your best interest in mind.
I got a similar e-mail from Best Buy this morning:
Dear Valued Best Buy Customer,
On March 31, we were informed by Epsilon, a company we use to send emails to our customers, that files containing the email addresses of some Best Buy customers were accessed without authorization.
We have been assured by Epsilon that the only information that may have been obtained was your email address and that the accessed files did not include any other information. A rigorous assessment by Epsilon determined that no other information is at risk. We are actively investigating to confirm this.
For your security, however, we wanted to call this matter to your attention. We ask that you remain alert to any unusual or suspicious emails. As our experts at Geek Squad would tell you, be very cautious when opening links or attachments from unknown senders.
In keeping with best industry security practices, Best Buy will never ask you to provide or confirm any information, including credit card numbers, unless you are on our secure e-commerce site, www.bestbuy.com. If you receive an email asking for personal information, delete it. It did not come from Best Buy.
Our service provider has reported this incident to the appropriate authorities.
We regret this has taken place and for any inconvenience this may have caused you. We take your privacy very seriously, and we will continue to work diligently to protect your personal information. For more information on keeping your data safe, please visit:
http://www.geeksquad.com/do-it-yourself/tech-tip/six-steps-to-keeping-your-data-safe.aspx.
Sincerely,
Barry Judge
Executive Vice President & Chief Marketing Officer
Best Buy
I received an e mail saying this also effected Chase Bank, they use Epsilon too.
The heating time for the hair straightener should help you decide on buying the rightGHD Hair Straighteners. Choose one where you can adjust the temperature, or at least have more than three temperature levels in it.
It is always better to buy lighterGHD Hair Straighteners having ergonomic designs which make it easy for you to use everyday. Some of the best straightening irons weigh about a pound.
Make sure that your hair is dry when you use ghd hair as water and electricity don't go well together. There is a chance of your hair burning here too.
The price is an important point to consider when buying GHD Hair Straighteners. There is no point in buying a very expensive hair straightener.