Hackers Steal Kroger's Customer List

wiredmikey writes "Kroger, the nation's largest traditional grocery retailer with more than 338,000 associates, notified customers today of a breach of the database that stores its customers' names and email addresses. The company said the incident occurred at Epsilon, the third-party vendor Kroger uses to manage its customer email database." Reader SatanClauz SatanClauz quotes the email that went out to Kroger customers ("We were notified and became aware of unauthorized access to our email list by someone outside our company. We want to assure you that the only information that was obtained were names and email addresses."), writing "At least they were smart enough to separate the email db from the rest of customer information! — or so they say..."

Tortious?

[mr100percent]

I wonder if this is something you can sue over. For example, is reusing the same password (as in the case of HBGary) considered negligent?

Re:Tortious?

[clang_jangle]

When filling out those "super saver" card deals I always give them my landline phone number, a throwaway email address, and my name. As a Kroger's shopper, I feel vindicated today. :)

Re:Tortious?

[morari]

I didn't realize that anyone filled them out with real information. Why would you? To help Kroger track trends and marketing? Forget that, just give me the discount. :P

Re:Tortious?

[MysteriousPreacher]

Is reusing the same password (as in the case of HBGary) considered negligent?

One would hope so. In Europe anyway the data registrars could get pretty snarky if a data controller were to negligent with personal data. Compliance does vary though. My bank does a decent job, while food delivery places tend to be pretty piss-poor. If you have a phone number of someone and a name, and you'd like to find their address, use the local pizza places. Assuming that person orders pizza, chances are if you give the name and number of that personal, the guy on the phone will give you the address. Been pretty rare to find someone here who won't tell me my address, and I don't even to get sneaky with it.

Re:Tortious?

[MysteriousPreacher]

English, motherfucker, I don't speak it.

*Been pretty rare to find someone on a pizza line here who won't tell me my address, and I don't even to get sneaky in my questioning.*

Re:Tortious?

[Moderator]

Okay. Now pay with the credit card that lists your name and zip code.

Re:Tortious?

[hedwards]

If only they would give a discount. Around here when the discount cards rolled out there was an immediate price hike on the regular price to a similar amount as the discount. The net effect being that you weren't saving money with the discount cards, just not being gouged as badly.

Why they were allowed to do that is beyond me, because the customers didn't have much choice given that all the major grocery chains started doing it about the same time and the smaller ones are much more expensive.

Re:Tortious?

[Penguinisto]

sibling is right... most times, I don't even have to fill them out, instead feigning time pressures: "I have to be somewhere pretty soon - is it okay if I bring this back?" usually gets me the card with zero information to the store.

Re:Tortious?

[by+(1706743)]

I didn't realize that anyone filled them out with real information. Why would you? To help Kroger track trends and marketing? Forget that, just give me the discount. :P

Filling them out with fake information is almost as useful for them (assuming you do indeed use the card). Think of it as a click-tracking cookie, but for a supermarket instead of a web site. Sure, it's nice to have all the personal information you can get, but it's still useful without that.

Certain demographic statistics will get screwed up, of course (wow, that 82 year old woman sure loves her beer, Oreos and frozen pizza!). However, a huge reason that discount cards are issued is for statistical information on purchases relative to each other. If you're in a supermarket and you see two seemingly unrelated items next to each other, there's a chance that there's a purchasing correlation.

Re:Tortious?

[metalmaster]

At my local ACME Market there's Hormel sliced pepperoni on the end of just about every food related isle in the store

Re:Tortious?

[jackdub]

Many friends of mine simply used a 'shared phone number' to give the checkout clerk when they asked. Works like a charm and you only need to fill out the app card once.

Re:Tortious?

[GooberToo]

The sad thing is, I'm sure the masses were all going, "Ohhh burn! Take that!", before you replied.

Re:Tortious?

[symbolic]

Not really. I've been handed new cards a number of times - they don't care if it's filled out or not. Of course, they'd like it to be, but I never have....even once. Albertson's would give you a card and give you a choice as to whether or not you provided any info. KS is a bit less flexible, but it's not that much of an ordeal to get past that.

Re:Tortious?

[koffie]

That is why I have three different customer loyalty cards for a local supermarket chain. One I use for beer, one for frozen pizza and the third for Oreos.

Do I ever need all three at once? No, I am very organised. Besides, I *only* ever use a loyalty card when there is actually a discount to be had by using it. I would be very suspicious if there was always a discount with the card, it means they are ripping you off. And I don't shop when I know they are a rip-off.

Re:Tortious?

[CastrTroy]

Thanks to the advent of the internet, you can usually find out someone's name, phone number, and address, with just one of those pieces of information. Pick a random address, look it up on a reverse directory, and you can find out the name, and the phone number of the person who lives there. Unless they don't have a land line, or they are pretty careful with their privacy, it works almost every time.

Re:Tortious?

[XorNand]

Ever use one of these cards in conjunction with a credit card? They have your real info now.

Re:Tortious?

[MimeticLie]

Meijer doesn't have discount cards. They were even touting that fact in their ad campaigns when Kroger introduced them, IIRC. However, they only have stores in Illinois, Indiana, Ohio, Kentucky, and Michigan.

Re:Tortious?

Filling them out with fake information is almost as useful for them (assuming you do indeed use the card).

So what? The idea is to protect my privacy, not try to intentionally be a dick to them. I'm glad the fake information I gave them is still useful.

Re:Tortious?

[InsaneMosquito]

I feel even more vindicated. Every time I forget my card, they ask for the phone number I used to get it. After trying the two numbers I've had for years and neither works the cashier gets frustrated and asks the next customer in line if I can borrow their card.

Re:Tortious?

[TheGratefulNet]

the local 'loyalty cards' don't require anything from you. they hand them out and you can take their stupid form, tell them 'I'll do this later' and then just use the card. the most they can get on you is what you buy, but you stay anon.

well, as long as you pay with cash only. doh! when you pay via authenticated means, you can probably guess they then can bind your name to your purchases.

but use of cash and those cards that you don't fill out (at all) are not a bad way to work the system. its trying to work you, why not work it right back at 'em?

Re:Tortious?

[morari]

Good thing I use cash for just about everything then, isn't it? ;)

Re:Tortious?

[AftanGustur]

When filling out those "super saver" card deals I always give them my landline phone number, a throwaway email address, and my name. As a Kroger's shopper, I feel vindicated today. :)

To check their security I always give them the name of my uncle .. Little Bobby Tables.

Re:Tortious?

[__aasehi2499]

Meijer rules for more reasons than that, more people should shop there.

Re:Tortious?

[__aasehi2499]

Kroger's requires you to show I.D. to recieve a card.

Re:Tortious?

[LordLimecat]

Why they were allowed to do that is beyond me

Because having the government mandate the price of milk sounds like about the worst idea you could possibly implement, especially given that this is a capitalist system?

Because we as a people have decided that as a general rule it is best to let market forces work out the price of milk?

Re:Tortious?

[Chaos+Incarnate]

Why would I do that?

So you earn the 1-2% your card offers you back on each purchase, that comes at no cost to you if you actually pay your bill each month?

Re:Tortious?

[Chaos+Incarnate]

Meijer is nice, though while the Target across the street* has a smaller selection, for what it does have it's invariable cheaper.

*Seriously, three out of the four places I've lived, they had a Target either across the street from or right next to the Meijer. Kinda creepy.

Re:Tortious?

[cffrost]

Okay. Now pay with the credit card that lists your name and zip code.

To what end? So I can sell my marketing data for the handsome sum of $0.00, or so I can leave a paper trail for ("anti-terror," et al.) government profiling/data mining? I'll pass.

Re:Tortious?

[davidbrit2]

Meijer doesn't have them, but they seem to harvest your info anyway. Whenever I buy a fair amount of groceries there, the coupon printer at the checkout always seems to know what sort of things I would buy, even if I haven't gotten any on that visit. It's a little creepy at times.

Re:Tortious?

[Relayman]

They will mail you coupons tailored to what you actually buy. It's worth it to give them my mailing address (public) and my e-mail address (not public but it's a Gmail account so it has good spam filtering). Why wouldn't I monetize my purchasing information? Everybody else is making money off of information.

Re:Tortious?

[GWRedDragon]

If you're in a supermarket and you see two seemingly unrelated items next to each other, there's a chance that there's a purchasing correlation.

While your main point is valid, this part is not necessarily correct. Items which are strongly correlated are not put next to each other; rather, they are put in different places so that people who are going to buy both of them anyway will have to visit multiple places in the store. Then, analysis determines which items are more likely to be purchased if they're someplace the person has to walk by anyway. These items are placed next to the initial items.

Re:Tortious?

[cbiltcliffe]

Since when have the masses read /.?

Re:Tortious?

[SomePgmr]

I'd guess this is like Walgreens and CVS, they're after the same market... so they compete directly and in close proximity.

Both Meijer and Target are looking to snag the, "we're much better than Walmart" market.

Re:Tortious?

[DarkVader]

Is that recent? Because I didn't.

And I periodically exchange cards with friends, acquaintances, people on the street, that sort of thing.

Re:Tortious?

[hedwards]

Milk is a bad example, most of the milk supply in the US is controlled by a very small number of concerns. A couple years back there was a push here to require all dairies to sell their milk to a collective and then require all in state purchases of milk to be done through the distributor. Thankfully it didn't go through, but it was somewhat nerve wracking watching big milk trying to drive out the last competition.

If you thought the telecommunications industry was bad, big milk is worse.

The whole notion that the US has a capitalist system is really ignorant. We don't, we have a system of monopolies, duopolies and oligopolies covering most of the economy, and even where we don't, the government regularly intervenes on behalf of large corporations to destroy as much competition as possible.

Re:Tortious?

[DMFNR]

In working at a grocery store I noticed that having your information tracked by a discount card and having a computer give you coupons for stuff you like is advertised as a feature and the masses don't even consider the implications. Most people reading this hear about people getting their information stolen all the time, and at least care somewhat about privacy, but what about the hoards of other people who are too caught up in whatever they are doing to even consider something like this to NOT be a GREAT deal.

Re:Tortious?

[LordLimecat]

You know, theres a term for "government controlling means of production", and last I checked theres never been an instance of it working out well, ever.

Re:Tortious?

[fishbowl]

What do they require for ID? How do they authenticate this ID? I wonder if there is a discrimination card to play here.

Re:Tortious?

[bitingduck]

The names and zips that go with my grocery store cards are unrelated to the names on the credit cards I use. It's never a problem.

Re:Tortious?

[Ucklak]

Because you get free stuff like free turkey for thanksgiving, free pack of burgers for 4th of July, free drinks, etc....

Anybody can find your address anyway.
Just use a throw away email and phone number (Google voice)

Names and email addresses?

[ruiner13]

So, they got information that sites like Facebook make completely public anyway? I'm sorry, I guess I'm just all out of unwarranted outrage and fear today. Wake me up when they have credit card numbers, SSNs, or something like my mother's maiden name. You know, stuff that can actually be used for something malicious. All they can do now is send me an email with *gasp* my name in it!

Re:Names and email addresses?

So, they got information that sites like Facebook make completely public anyway? I'm sorry, I guess I'm just all out of unwarranted outrage and fear today. Wake me up when they have credit card numbers, SSNs, or something like my mother's maiden name. You know, stuff that can actually be used for something malicious. All they can do now is send me an email with *gasp* my name in it!

Does that tell you something about this breach, or about the culture surrounding Facebook?

Not everybody wants their online contact info to be an open book. Not everyone on this customer list has a Facebook account. You can join the crowd that lowers the bar on privacy expectations and you will have much company. There will be many millions nodding their heads and agreeing with you and validating your opinion. The part you don't seem to appreciate is that they embrace it voluntarily. Not everyone does. That's why it took a system compromise to get this data.

Re:Names and email addresses?

[MysteriousPreacher]

You're doing it wrong if Facebook is by default making your email address completely public, or you're not the kind of person to worry too much anyway about this kind of thing. Why not have a nice cup of tea and wait for the next story to pop out?

Re:Names and email addresses?

[fermion]

"We want to assure you that the only information that was obtained were names and email addresses."

They are not saying that the only information taken was names and emails. They want to say that such is the case. From what I can tell about notification laws, this is to comply with the law. They have notified customers that their personal data has been stolen. They have not said that the personal information was limited to names and email addresses. A reasonable person may interpret it that way, but if in a week they say purchasing details were also stolen, no one is going to be able to fault them in any meaningful way. Krogers has complied with the law. If people interpret this compliance to be beyond the scope of the compliance, then that is a personal problem.

Re:Names and email addresses?

[rednip]

So, they got information that sites like Facebook make completely public anyway?

So, facebook is supposed to be an example of default expected privacy? God, I hope not.

Re:Names and email addresses?

[MysteriousPreacher]

Doesn't that kind of require at least three seemingly unfounded assumptions?

1) The assumption that purchasing details were stolen
2) Kroger Co. is lying about what was disclosed (otherwise why should we castigate them for being unable to announce something before it was known)
3) It'll be less damaging to have to make two separate announcements, thus prolonging the media story, than a single announcement covering all of what they currently know

Re:Names and email addresses?

[click2005]

Facebook is more like the strange old man offering you free candy and promising there is more in the back of his van.

Re:Names and email addresses?

[JimWise]

I am confused how you can say "They are not saying that the only information taken was names and emails" and "They have not said that the personal information was limited to names and email addresses." To me that is pretty much exactly what the sentence that you quoted says: "We want to assure you that the only information that was obtained were names and email addresses."

I could understand saying that it takes a leap of faith to believe that was all that was acquired from the system since from the message we can't determine that it did not also contain other personal data. Since I got e-mails from both Kroger and Brookstone with a few hours of each other that were quite similar, it seems that both were most likely using the same e-mail service provider and that the databases were set up in a similar way. The Brookstone e-mail was a bit more specific, stating:

  "We want to assure you that the only information that may have been obtained was your first name and e-mail address. Your account and any other personally identifiable information are not stored in this system and were not at risk."

Since no other personally identifiable info was even stored on the system, let alone in the same database, I am pretty confident that it truly was only names and e-mail addresses that were compromised.

I also do not understand how you can say that if later on it comes to light that purchasing details were also stolen no one would be able to fault them. Even Kroger explicitly stated that only names and e-mails were compromised. If they used a different system than Brookstone, or Brookstone was giving false information in their e-mail, and it comes to light that info beyond names and e-mail were compromised, then yes, that goes well beyond the extent of their original notice and they would definitely be taken to task for lying to and misleading their customers. Maybe if they had only stated "Our e-mail service was compromised and customer names and e-mail addresses may have been obtained by an unauthorized person" you would have a point since that would not explicitly state that that was ALL that was at risk, but both Kroger and Brookstone have made it quite clear that only names and e-mail addresses were compromised and no other customer related data was involved.

"We want to assure you that the only information that was obtained were names and email addresses."

They are not saying that the only information taken was names and emails. They want to say that such is the case. From what I can tell about notification laws, this is to comply with the law. They have notified customers that their personal data has been stolen. They have not said that the personal information was limited to names and email addresses. A reasonable person may interpret it that way, but if in a week they say purchasing details were also stolen, no one is going to be able to fault them in any meaningful way. Krogers has complied with the law. If people interpret this compliance to be beyond the scope of the compliance, then that is a personal problem.

Re:Names and email addresses?

[hedwards]

True, but the cost of not participating is getting bigger all the time. There's a lot of discounts you just can't get if you don't have a facebook account and good luck with a lot of those contests if you aren't on facebook or twitter.

Fortunately, it hasn't gotten to the point of companies being allowed to advertise just on social networking sites, hopefully somebody will realize that it's fundamentally a bad idea if allowing it comes up for a vote in congress.

Re:Names and email addresses?

[postbigbang]

What it shows is that attacks will continue against just about every major US chain and their *contractors*, because there's a payoff for stealing info. The Kroger incident is one of the ones that we know of; there are probably many more that we have no idea about because they weren't detected.

Corporate security ought to be flawless, and it's not and their contractors should be held to the same high standarrds. This, along with TJMax and any number of breaches is a compelling reason to rethink garnering customer data at all, and probably the concept of expunging it quickly after use, and forbidding resale of the data. But the marketers will never do this, even though they should.

Re:Names and email addresses?

I'm posting AC as I have no authority to speak.

I've worked at two of the 3 largest data brokers that fit into the same tier as Epsilon.

I can tell you that they do take data very seriously. There are lots of legal rules that come into effect for data security when it comes to credit info, but top tier companies like this apply the same rigor to all data that they hold. You won't even find personally identifiable info on the same server as credit data for example.

No company is immune to attacks. It's a fact of life. It's just really trendy right now to make a big deal out of every event large or small. I know it's fun to throw stones and pretend that they are all malicious, incompetent and misleading, but the reality is that it's lots of folks working hard to do the best possible.

So sit back, breathe and at least attempt to be rational.

Re:Names and email addresses?

[quickgold192]

They have not said that the personal information was limited to names and email addresses.

Yes, they have. The whole "We want to let you know" construct is not a literal construct in modern English; it's simply a redundancy that allows you to open a sentence slowly to avoid sounding curt. When Amazon tells me "We just wanted to let you know that your order has shipped," they're not just sharing their feelings with me, they're let me know that my order has shipped. They wanted to let me know it, and now they're letting me know it.

In this case, the literal usage of those word (trying to tell me that they *want* to let me know something that may or may not be true) is not just deceitful, it's incorrect usage and bad grammar. Simply put, Krogers is telling us that only email addresses and names were stolen, and any attempt by Krogers to argue to the contrary is, frankly, hogwash.

Re:Names and email addresses?

[ruiner13]

Agreed. I never said that Facebook was the golden model of privacy. I only meant to imply that if we're not completely outraged about what Facebook does, than something like this does not merit panic or being spread like gossip. The people affected should be notified properly so they can understand the situation, but spreading it as if it were a major security break is disingenuous. It is a break, but does not need to be treated as a meltdown.

Re:Names and email addresses?

[koffie]

Hello? What are you talking about? "cost of not participating"? Are you really afraid of no longer being able to buy food or clothing without Facebook and Twitter?

Planet Earth may well run out of food to feed us all, but Facebook and Twitter are quite irrelevant when it comes to essential needs.

If you are trolling, congrats, I for one fell for your scam.

If on the other hand you truly care about "discounts", consider for a moment the possibility that you are deluded. A discount is nothing more than just a trick to lure customers. If you don't understand this, don't bother. Just spend all your money on discounts and be merry. It's the Merrycan Dream I believe. ;-)

Re:Names and email addresses?

[MachineShedFred]

Epsilon is a company that does mass-market emails. Kroger uses DunnHumby USA for their statistics and market data. They use someone completely different for credit card processing, maintaining PCI compliance.

I'm pretty sure they have the capacity to have different databases, with controlled access to each. They aren't the local fruit stand, they're a Fortune-30 business.

US Bank Too

[Serenissima]

I just got an email from US Bank this morning as well about the data breach with Epsilon. I wonder how many more companies are affected by this one third-party company.

Re:US Bank Too

[Nimloth]

Tivo too, just got an email from them.

Why?

Why would anyone give their email address to a grocery retailer?

Re:Why?

[JimWise]

There are several reasons. I am one of those who gave my info to Kroger, and doing so has let me save some money, partly because I also did the same with Giant Eagle (the other large grocery store chain in my area.) I pass both of them pretty much every day. Each has good weekly deals, and they both send e-mails of the deals the day before they begin. It makes it easy for me to compare and see which store to stop by in a given week and what to pick up where. They are the same ad fliers that are in the Sunday paper, but I have not bothered to pay for the Sunday (or any other day) paper in years. The on-line account also goes a bit beyond the paper ads. They allow you to "upload" special coupons onto your Loyalty Card. You scroll through the list of optional coupons, mark which ones you want to take advantage of, and instead of clipping coupons and having to remember to bring them into the store with you, they are "loaded" onto your Loyalty Card and automatically used when you go through the check-out.

One other non-discount reason to give them your e-mail and use the Loyalty Card is that if an item is recalled they can track who bought the item and send them an e-mail stating what was recalled, the reason it was recalled, and what to do with the item to safely fix it or discard it or return it for a refund.

Re:Why?

[Sulphur]

Think of the Epsilons.

Re:Why?

[adolf]

One other non-discount reason to give them your e-mail and use the Loyalty Card is that if an item is recalled they can track who bought the item and send them an e-mail stating what was recalled, the reason it was recalled, and what to do with the item to safely fix it or discard it or return it for a refund.

Yeah, the recall stuff is nice. Sometimes.

I bought some ground beef from Kroger using the card. I cooked it and ate it. It was yummy.

A couple of weeks later, I bought something else from Kroger, and again used my card. The machine printed an extra-long receipt, with recall notification on the beef that I'd bought before.

The instructions said to throw it away, or either return the tainted goods or the original receipt for a refund.

I, of course, already ate the stuff, and tossed the receipt (who actually keeps receipts for groceries?). So there was no option for me to get my money back, EVEN THOUGH THEY ALREADY KNEW THAT I BOUGHT IT.

I don't buy anything at Kroger, anymore. That's just one of the reasons why. Their policies are bad, their employees are idiots, their prices aren't all that great, their service is opposite of helpful, and I've found more expired and just plain bad food on their shelves than I have anywhere else. There's plenty of cheaper, better, friendlier, cleaner places with fresher food around here, and none of them have a loyalty card.

Re:Why?

[DarkVader]

Well, if you ate it and didn't get sick, then it wasn't actually bad, was it? I'm not sure what you're complaining about.

And around here, all the grocery stores have the silly little cards. I don't really have a choice if I want to eat. And I like eating.

I have generally found Kroger to be the best of the chains here, every time I've been to the others, I've gotten rotten fish - that's never happened at Kroger. The employees are generally friendly, and seem to be quite competent.

And I feel better shopping there because they are the only unionized grocery store in town.

Tracked??!!?

[ehrichweiss]

I just had a conversation with guy at a gas station as to why I didn't have one of their rewards cards. He kept assuring me that I wouldn't be tracked and yet I just don't believe that. For the record, assuming this list is for their "Plus Cards", we are likely on that list buuut only under a bogus name...or maybe I found a card that someone lost. Regardless, if it didn't save me $40 every time I went to the store, I wouldn't have it; saving $3 at a gas station every 3 weeks isn't enough of a reward to even bother filling out their "application". We call that "Jumping over dollars to pick up dimes"

Re:Tracked??!!?

[symbolic]

Unfortunately, nobody has any idea where *else* this data winds up. What would stop a company from selling it to other commercial interests? Any time you provide identifying information, it should be a (sad) expectation that it will be prostituted in some manner by the company in its possession. Bottom line? Protect yourself.

Re:Tracked??!!?

[Relayman]

Your "dimes" for me amounted to almost $900 at Kroger last year, and that doesn't include the savings on gas (probably another $100). You should buy stock in the company and then you can capture some of the money you're giving up in stock appreciation and dividends.

Re:Tracked??!!?

[ehrichweiss]

I think you missed my point, I wasn't talking about Kroger in terms of the "dimes"; I was talking about some of our local gas stations with their "rewards cards". I *definitely* save a lot of $$$ with Kroger's card which is why I still have it.

Re:Tracked??!!?

[Relayman]

Yep, I missed your point. I assumed when you were talking about gas station reward cards you were including the Kroger Plus card. My bad.

Did Kroger use same service as Brookstone, others?

[JimWise]

I got the e-mail from Kroger within three hours of receiving a very similar e-mail from Brookstone. Although not identical, the two e-mails are quite similar. Foes anyone know who this e-mail service provider is and what other companies may have been affected by this? It is nice to see Kroger and Brookstone act quickly to let their customers know the extent of the data that was compromised, but if this is the fault of a common e-mail service provider I would think that many more than just two companies were affected by this, and interesting to see how different companies react to the same issue. It is also good to see that the third party e-mailer is given only the base details necessary for them to perform their function and are not provided with street addresses or other unnecessary personally identifiable information.

++++++++++++Important E-Mail Security Alert++++++++++++

Dear Valued Brookstone Customer,

On March 31, we were informed by our e-mail service provider that your e-mail address may have been exposed by unauthorized entry into their system. Our e-mail service provider deploys e-mails on our behalf to customers in our e-mail database.

We want to assure you that the only information that may have been obtained was your first name and e-mail address. Your account and any other personally identifiable information are not stored in this system and were not at risk.

Please note, it is possible you may receive spam e-mail messages as a result. We want to urge you to be cautious when opening links or attachments from unknown third parties.

In keeping with best industry security practices, Brookstone will never ask you to provide or confirm any information, including credit card numbers, unless you are on our secure e-commerce site, Brookstone.com.

Our service provider has reported this incident to the appropriate authorities.

We regret this has taken place and for any inconvenience this may have caused you. We take your privacy very seriously, and we will continue to work diligently to protect your personal information.

Sincerely,

Brookstone Customer Care

Hm

[Tripp-phpBB]

Why am I not surprised?

Re:Emails?

[frozentier]

I don't show up at Kroger (there aren't any close to where I live), but if I did, they would be hearing from me.

And exactly what would you do? Would you rip some 20 year old who is running the office, who has nothing to do with any of this? Would you see the store manager and rip him a new one, when HE has nothing at all to do with what the headquarters does?

Re:Emails?

[MysteriousPreacher]

You'd be dismayed at how often people actually believe that the guy behind the counter or on the end of a tech support line is the best target for a discussion about corporate policies and general unhappiness with capitalism and assorted laws of physics. The latter came up more than once in tech support. I declined to alter the universe at a fundamental level.

Who else is using Epsilon?

[140Mandak262Jamuna]

So Kroger's customer list is stolen from Epsilon! I wonder what other companies are using Epsilon to manage their customer list. So we need to identify who is managing the client list of Epsilon. If that site is known to be hackable .. hee... hee... :-)

Re:Who else is using Epsilon?

[hedwards]

That's a serious problem. Some companies are more transparent about it than others are, but a financial services firm can have quite a few contractors doing the actual work. If any of them lose a laptop or get cracked, your information can get leaked all over the place.

But, whenever privacy regulations come up for debate they typically get shouted down as "nanny state politics," discouraging personal responsibility, being socialist or causing people to lose their jobs.

Re:Who else is using Epsilon?

[Schemat1c]

So Kroger's customer list is stolen from Epsilon! I wonder what other companies are using Epsilon to manage their customer list. So we need to identify who is managing the client list of Epsilon. If that site is known to be hackable .. hee... hee... :-)

I found an email this morning from Usbank telling me that they use Epsilon and that my email address was among the stolen files. I did a Google search and apparently Chase also uses the service.

This isn't good.

Re:Who else is using Epsilon?

[mallyn]

Thank you.

Last I remembered, I paid cash for some brownies from Mrs. Fields and blank CD's from Staples.

I don't have a car, so I never dealt with Fender.

My apartment is too small for a garden, so I never dealt with America's Gardening.

I never use Key's cash machines. My credit union's are free.

Re:Who else is using Epsilon?

[Culture20]

Here's the press release:
http://www.epsilon.com/News%20&%20Events/Press_Releases_2011/Epsilon_Notifies_Clients_of_Unauthorized_Entry_into_Email_System/p1057-l3
Poking around on their site, I found this (partial) list of clients:
Americaâ(TM)s Gardening Resource
...
KeyBank
...
Staples
TIAA-CREF
...

Keybank and TIAA-CREF? I bet they have more interesting information than Kroger.

Re:Who else is using Epsilon?

[Culture20]

I don't have a car, so I never dealt with Fender.

But I bet you own a guitar, you brownie eating, CD copying, community gardening, union joining hippie! Fender's a guitar company.

Re:Who else is using Epsilon?

[Malizar]

And HSN

Re:Who else is using Epsilon?

[stilwebm]

So far I've seen the following brands/companies affected:

McKinsey, Brookstone, U.S. Bank, Capital One, Citibank, JP Morgan Chase, Kroger, New York & Co, and Tivo.

Some additional clients of theirs include Best Buy, Fender, TIAA-CREF, MD Anderson, Visa, Kraft, Marriott International, and Johnston & Murphy/Genesco.

I expect that client list to shrink as more notifications go out.

Fake Info

[twollamalove]

Fortunately, my Kroger Plus card application was littered with fake information!

Re:Fake Info

[morari]

Easy enough to avoid.

Fixed it for you ..

[LoudMusic]

"... notified customers today of a breach of the database that stores its customers' fake names and fake email addresses."

There, fixed it for you.

Re:Why does a grocery store need your email addres

[MysteriousPreacher]

So the Jewish conspiracy of reptile overlords in charge of Kroger can send out adverts that will in turn give them enough revenue to fund their NWO?

Re:Why does a grocery store need your email addres

[cob666]

If I were to take a stab in the dark answer to this question it would be for two purposes, the first would be to send you notices and perhaps coupons. The second would be for cross referencing with external data sources. I would guess that the vast majority of email users in the wild use the same email address for everything and having that data to cross reference your Kroger shopping profile with your Border's Books shopping profile could lead to some interesting data junctions. User is buying more fat free foods over the past 6 months and they have also started buying healthy cooking books. This could lead to some nicely targeted advertisements for weight loss or exercise programs.

I wouldn't be the least bit surprised to find that marketing companies are behind the break-ins.

US Bank uses Epsilon, too

[Phoenix+Dreamscape]

I received a similar notification from US Bank today with regards to my linuxfund.org credit card. They called out Epsilon as the source of the leak, and claim no financial data was compromised.

---
As a valued U.S. Bank customer, we want to make you aware of a situation that has occurred related to your email address.

We have been informed by Epsilon Interactive, a vendor based in Dallas, Texas, that files containing your email address were accessed by unauthorized entry into their computer system. Epsilon helps us send you emails about products and services that may be of interest to you.

We want to assure you that U.S. Bank has never provided Epsilon with financial information about you. For your security, however, we wanted to call this matter to your attention. We ask that you remain alert to any unusual or suspicious emails.
---

Hackers?

[multisync]

Kroger has no idea who accessed their email system, let alone whether or not they were hackers. Seems more likely spammers, or perhaps fraudsters, would be interested in gaining accesses to customer names and email addresses.

In fact the word hacker appears nowhere in the article or summary. What is your major malfunction, Timothy?

Discount cards? They are a farce!

[wfstanle]

I refuse to play the "discount card" game. When I make a purchase at the local CVS, they ask if I have a discount card. I say "no" and the clerk scans the store copy and I get the discount anyways without giving personal information. Often when going to stores that do not have a "store card", another customer offers their card and the clerk scans that without objection. I have even encountered clerks that have their personal card that they scan. These "discount cards" are a farce!

Re:considered

[TaoPhoenix]

That's why I ask sharply if the info is actually required, and when they first try to hedge that it is, I begin cancelling my entire sale at which point they grudgingly admit "well, uh, really it's not, my manager just told me to ask".

Re:detected

[TaoPhoenix]

I dunno - I trust "Joe in IT" more than that. However, the pointy heads are good at rolling stuff under rugs, so even if it was detected it would be instantly classified.

Re:Emails?

[jhigh]

Actually, I would contact their corporate offices and asked to be removed from their database entirely and to have my account with them deleted completely. I didn't mean that I would be seeking retribution, only to make sure that my information isn't further compromised in the future.

Kroger should be required to stop collecting info

[Animats]

The punishment for the leak should be that Kroger has to abandon any attempts to collect or store information about their customers.

They're a grocery store. They don't need that info.

Re:Why does a grocery store need your email addres

[The_Wilschon]

So they can notify you when your email address gets stolen, of course! Didn't think that one through, didja?

Third party

[Zedrick]

"third-party vendor Kroger uses to manage its customer "... why the hell are they using a third-party anything to manage THEIR customer data?

Oh, oh, I know! Because they don't care about their customers data, and want the option to sue + put the blame on someone if something goes wrong.

Re:Third party

[Gaygirlie]

"third-party vendor Kroger uses to manage its customer "... why the hell are they using a third-party anything to manage THEIR customer data?

Oh, oh, I know! Because they don't care about their customers data, and want the option to sue + put the blame on someone if something goes wrong.

Ignorant comment.

Why do people outsource things to others when they can do it themselves? Like for example, why do people hire a company to fix their cars? Indeed: because the company has all the tools and expertise already, you'd have to first train yourself and then get all the necessary tools in order to do it. It's exactly the same with companies: if someone else can do the same job better, easier and cheaper than if you did it yourself then obviously it makes more sense to get the someone else to do it.

Re:Third party

[DerekLyons]

Or maybe it's cheaper/more efficient to hire a third party so Kroger can concentrate on their actual business - selling groceries.

Re:Third party

[Culture20]

they use a third-party to manage it because they're a grocery store

They're not a grocery store. They're a chain of grocery stores with a corporate head office, their own IT staff, their own marketing, etc. Things like customer data should be handled in-house, but some pointy haired boss decided that the risk(data loss/leak) to benefit(save $$) ratio was worth it. For all they know, this might be corporate espionage, and Piggly Wiggly might have Kroger's customer list complete with emails now. The best use that Piggly Wiggly can make of this is to start advertising low, low, prices at Kroger via spam. A lot of Kroger-themed spam. Maybe low prices on SPAM in the spam.

Re:Third party

[joost]

Take a deep breath there, cowboy.

It makes sense to offload e-mail delivery to a dedicated party. SMTP best practices, RBLs, proper headers, server capacity, bounce handling are essential to responsible e-mail campaigns.

Almost no business has the intimate knowledge required to operate such a thing in-house. The BEST thing to do it outsource it to a mailing list provider. And the best practice op top of that is to just copy name + email address to the third party, as they have done. And after the breach they have informed their customers proactively too.

Srsly, they did everything 100% right.

Re:Third party

[danbuter]

Their data was in the CLOUD. It was safe! Ask just about any tech site!

Re:Third party

[Arrogant-Bastard]

This is specious nonsense, of course. It's the sort of FUD spread by spammers-for-hire masquerading as ESPs in order to lure unsuspecting customers in. The reality is that it's a trivial exercise to run mailng lists like this -- even those of modest intelligence can easily manage it. The combination of Linux, Apache, Mailman and an MTA-of-choice (postfix, sendmail, etc. -- not qmail, as that is only used by inferior people) makes it an afternoon's exercise to set up a properly-functioning mail server and mailing list service, with COI, RFC 2369 headers, excellent bounce processing, etc. We know this because we see thousands of instances of sites doing it on a daily basis. Further, many of those are run by relatively young/inexperienced people who are nevertheless bright enough to RTFM and pay attention to best practices, and who thus do just fine. But the spammer-for-hire industry will of course steadfastly maintain that it's necessary to pay their exorbitant fees, use their spyware, pay additional fees for "deliverability studies" (the biggest scam out there) -- of course they will, any customer that is foolish to believe this crap will pay them handsomely.

Re:Third party

[DarkVader]

So, exactly what problem does implementing cryptographic mail signatures solve, anyway?

If you're planning on rejecting mail from signatures you don't recognize, you can just whitelist email addresses. We already can do that, signed messages don't make any difference.

If you just want a valid signature, that won't work. Most spam today is sent from compromised machines, and if the spammer already has control of the machine, it's trivial to use the key on the machine to sign the spam.

Re:Third party

[scifiber_phil]

I'd go even further. Why does a supermarket need customer data in the first place? There needs to be an attitude change. Our personal data is ours, and no store deserves to have it given to them in order to give us the sale prices that they have always used as marketing tools. It never ends, and now I must give out SSN to get a fishing license. Tell me that's not an accident waiting to happen.

Re:Discount cards? They are a farce!

[jhigh]

The only reason to use them is for gas points or other such rewards. I occasionally forget my discount card and use the store card, but at any major grocery store that gives gas points, I've found it worth it to have a card.

Good Luck

[Cylix]

Spamming Brent Spiner, Johnny Bravo and Linus Torvalds!

There is no actual verification on those little forms. Though I did get a strange look for the Johnny Bravo one I submitted.

One of my friends even made one with the name Edgar Poe and he used this card specifically to purchase beer.

Good FUCKING Grief.

[Frosty+Piss]

I wonder if this is something you can sue over.

Yes, some lawyer will gin up a "class action" suite to address the irreparable harm that mom, dad, gramps, and Cletus have suffered as a result of the disclosure of their almost certainly widely available email addy - and the fact that grandpa regularly buys extra large lubricated Trojans. And as is standard practice, the lawyer will walk away with 10 or 15 million while the harmed parties will get a 50 cent off anything coupon.

Yes, let's SUE! SUE! SUE! to address this heinous disregard for personal privacy of your disposable Hotmail account!

Kruger is "The Man", FUCK The Man! Stick it to The Man! SUE! SUE! SUE!

Re:Kroger should be required to stop collecting in

[Gaygirlie]

The punishment for the leak should be that Kroger has to abandon any attempts to collect or store information about their customers.

They're a grocery store. They don't need that info.

Why should they be forced to do that? It's not Kroger's fault in the first place, it's Epsilon who made the mistake.

nancy drew's lost email

[anyaristow]

I didn't get the notification at my email address: nancydrew@example.com. Does that mean my data wasn't stolen?

What should one do when email is compromised?

[John+Jorsett]

I always set up a separate email account for every vendor I deal with. A surprising number of those email addresses end up getting into the hands of spammer/scammers. I always notify the companies that someone has compromised their email database, but only once have I received a response. It's no big deal for me to just divert all future email to that account to dev/null, but are there US federal laws that cover this, and is there any federal agency that should be notified so that these companies take security more seriously?

Screw Krogers anyway

[Osgeld]

My entire life experience with that place is a fucking headache

Cant find a parking spot cause some "designer" made the place all artsy and then sucked up 2/3s of it with a dumb ass gas station

Oh its 12 outside and dumping sleet, cant fucking walk on the sidewalk cause they fortified it with shit you will never ever buy, watch out for traffic

Jumping over the mountain of fortified crap, soaked in ice nearly ran over by cars you go in to the wonderful smell of garbage and nasty looking carts, picking one that is the least covered in green sticky shit (its called a hose, use it once in a while)

walk in to find out you cant go anywhere cause there is so much shit by the in the isles you have exactly 18 inches from a display and either another display or a fucking post and if one person stops your stuck

garbage bags in the middle of baking supplies, pet foot touching roach poison, shit meat selection, play their stupid card game, understaffed registers (and god help you if you ask for a pack of smokes) I would rather staple my tongue than step foot in one

Re:Screw Krogers anyway

[Relayman]

Oh, I'm so glad I won't run into you when I'm shopping at Kroger...

What email?

[Nov8tr]

I'm a Kroger customer as it's right down the street. But I have received nothing from Kroger. No warning, no nothing. I am not a a happy camper.

Sale?

[NetNed]

It would be nice is these discount card at Krogers actually gave you a discount. All it is, is the normal price at other stores that don't have this discount card scam running. You'd think if they are selling info and making money on it, then they could actually give a decent price on items, but as far as Krogers goes, they are WAY over priced on many, many items. At least the ones in my area are.

Re:Sale?

[Zorque]

That's kind of strange, the Smith's (local Kroger chain) in my area is always a lot cheaper than everything else. I wonder if they leave the prices up to the individual chains?

Of course, I've always wondered if the non-card prices are inflated and the card prices are what you'd normally pay. Seems like something a large company like that would do, at least.

Re:Sale?

[NetNed]

Possible. All the ones in my area (about 6 or so that I have been to) have the same prices. They do carry different things between different locations. The closest one to me have a interesting habit of getting rid of things that seem to sell well. I have given up asking because they always say ALL Krogers stopped carrying those items, only to see it at another location farther away.

I will say they have good prices on milk sometimes, with the card of course. But things like cookies, crackers, soda and others I can always find cheaper elsewhere. Sometimes $1.50 less elsewhere.

Of course!

[Caraig]

Because a grocery store needs to hold on to customer information! How else can they... uh... well, er... PROFIT?

So what do I need to do to convince a corporation to get rid of all customer data they have on me? Oh... wait... nevermind.

Re:Discount cards? They are a farce!

[Relayman]

Until you pull up to the gas pump and get $.30 off for 12 gallons. Your tin hat is costing you money.

US Bank and JPM Also Used Epsilon.

[alphasubzero949]

Notifications from US Bank and JPM have also gone out.

http://www.boiseweekly.com/CityDesk/archives/2011/04/02/chase-us-bank-customers-warned-of-e-mail-security-breach

Re:Kroger should be required to stop collecting in

[Relayman]

If I wore your tin hat, it would cost me $1,000 a year in discounts from Kroger. But I don't wear the hat, I take the cash.

TiVo too?

[toxicity69]

I received an email just a few minutes ago from TiVo saying the same thing as the Kroger one, so does TiVo outsource their customer data to this company too?

Re:Discount cards? They are a farce!

[sfm]

If you do not wish to support the "discount card game", then vote with your
feet. Shop at stores that do not have the cards. If enough people do this,
you will see these "penalty cards" disappear.

Re:Discount cards? They are a farce!

[DarkVader]

And where would that be?

No grocery store in my area doesn't have these cards.

Re:Did Kroger use same service as Brookstone, othe

[LordKronos]

Apparently TiVo also used the same service, because I just got an email from them about names and email addresses being exposed.

I got basically the same message from U.S. Bank

[Rubinstien]

U.S. Bank has the loan for my truck. I have no other dealings with them. Just got an email about the Epsilon information being stolen, supposedly only our email address (my wife's, actually). They apparently contract with Epsilon for their email services. This outsourcing of customer management always bothers me. It seems you are never dealing with a single company anymore; any commerce involves spreading your information out to a collective of "responsible" parties, regardless of appearances otherwise. Then, when problems arise, they have a 3rd party to point fingers at. If this had not happened, I probably never would have heard of "Epsilon".

Re:Discount cards? They are a farce!

[fishbowl]

>Why people give information to retailers is beyond me.

They don't care. They really, really don't care. It doesn't occur to them that there is any problem.

Why you keep those database

[cheekugames]

I really wonder why these guys keep database if they really can not protect it, there must be some policy to put a hefty fine on such organisations who do such gross negligence.

Re:Kroger should be required to stop collecting in

[DarkVader]

You do realize those aren't discounts, right?

They've just marked up the price for everybody without the card.

This is affecting lots of companies

[Logic+Bomb]

My wife got an email from TiVo, and I got an email from some branch of Disney vacation sales (no surprise -- we took a trip to DisneyWorld like 5 years ago and they still have my email address).

This is affecting a lot of companies.

Re:Discount cards? They are a farce!

[TheSpoom]

Huh, you know, I did the same thing with CVS but I haven't actually used the card. I wonder if it works...

Re:Emails?

[MachineShedFred]

You might be surprised about Kroger - they have 17+ banners they do business with. There might not be a Kroger store, but there might be a Fry's, Smith's, Ralph's, Fred Meyer, QFC, or King Soopers.

They are all Kroger.