Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hackers Steal Kroger's Customer List

Posted by timothy on from the now-they-know-who-buys-food dept.

wiredmikey writes "Kroger, the nation's largest traditional grocery retailer with more than 338,000 associates, notified customers today of a breach of the database that stores its customers' names and email addresses. The company said the incident occurred at Epsilon, the third-party vendor Kroger uses to manage its customer email database." Reader SatanClauz SatanClauz quotes the email that went out to Kroger customers ("We were notified and became aware of unauthorized access to our email list by someone outside our company. We want to assure you that the only information that was obtained were names and email addresses."), writing "At least they were smart enough to separate the email db from the rest of customer information! — or so they say..."

25 of 185 comments (clear)

  1. Tortious? by mr100percent · · Score: 2

    I wonder if this is something you can sue over. For example, is reusing the same password (as in the case of HBGary) considered negligent?

    1. Re:Tortious? by hedwards · · Score: 2

      If only they would give a discount. Around here when the discount cards rolled out there was an immediate price hike on the regular price to a similar amount as the discount. The net effect being that you weren't saving money with the discount cards, just not being gouged as badly.

      Why they were allowed to do that is beyond me, because the customers didn't have much choice given that all the major grocery chains started doing it about the same time and the smaller ones are much more expensive.

    2. Re:Tortious? by by+(1706743) · · Score: 3, Insightful

      I didn't realize that anyone filled them out with real information. Why would you? To help Kroger track trends and marketing? Forget that, just give me the discount. :P

      Filling them out with fake information is almost as useful for them (assuming you do indeed use the card). Think of it as a click-tracking cookie, but for a supermarket instead of a web site. Sure, it's nice to have all the personal information you can get, but it's still useful without that.

      Certain demographic statistics will get screwed up, of course (wow, that 82 year old woman sure loves her beer, Oreos and frozen pizza!). However, a huge reason that discount cards are issued is for statistical information on purchases relative to each other. If you're in a supermarket and you see two seemingly unrelated items next to each other, there's a chance that there's a purchasing correlation.

    3. Re:Tortious? by metalmaster · · Score: 2

      At my local ACME Market there's Hormel sliced pepperoni on the end of just about every food related isle in the store

    4. Re:Tortious? by Anonymous Coward · · Score: 2, Insightful

      Filling them out with fake information is almost as useful for them (assuming you do indeed use the card).

      So what? The idea is to protect my privacy, not try to intentionally be a dick to them. I'm glad the fake information I gave them is still useful.

  2. Names and email addresses? by ruiner13 · · Score: 3, Insightful

    So, they got information that sites like Facebook make completely public anyway? I'm sorry, I guess I'm just all out of unwarranted outrage and fear today. Wake me up when they have credit card numbers, SSNs, or something like my mother's maiden name. You know, stuff that can actually be used for something malicious. All they can do now is send me an email with *gasp* my name in it!

    --

    today is spelling optional day.

    1. Re:Names and email addresses? by Anonymous Coward · · Score: 3, Insightful

      So, they got information that sites like Facebook make completely public anyway? I'm sorry, I guess I'm just all out of unwarranted outrage and fear today. Wake me up when they have credit card numbers, SSNs, or something like my mother's maiden name. You know, stuff that can actually be used for something malicious. All they can do now is send me an email with *gasp* my name in it!

      Does that tell you something about this breach, or about the culture surrounding Facebook?

      Not everybody wants their online contact info to be an open book. Not everyone on this customer list has a Facebook account. You can join the crowd that lowers the bar on privacy expectations and you will have much company. There will be many millions nodding their heads and agreeing with you and validating your opinion. The part you don't seem to appreciate is that they embrace it voluntarily. Not everyone does. That's why it took a system compromise to get this data.

    2. Re:Names and email addresses? by fermion · · Score: 2
      "We want to assure you that the only information that was obtained were names and email addresses."

      They are not saying that the only information taken was names and emails. They want to say that such is the case. From what I can tell about notification laws, this is to comply with the law. They have notified customers that their personal data has been stolen. They have not said that the personal information was limited to names and email addresses. A reasonable person may interpret it that way, but if in a week they say purchasing details were also stolen, no one is going to be able to fault them in any meaningful way. Krogers has complied with the law. If people interpret this compliance to be beyond the scope of the compliance, then that is a personal problem.

      --
      "She's a scientist and a lesbian. She's not going to let it slide." Orphan Black
    3. Re:Names and email addresses? by MysteriousPreacher · · Score: 2

      Doesn't that kind of require at least three seemingly unfounded assumptions?

      1) The assumption that purchasing details were stolen
      2) Kroger Co. is lying about what was disclosed (otherwise why should we castigate them for being unable to announce something before it was known)
      3) It'll be less damaging to have to make two separate announcements, thus prolonging the media story, than a single announcement covering all of what they currently know

      --
      -- Using the preview button since 2005
    4. Re:Names and email addresses? by click2005 · · Score: 2

      Facebook is more like the strange old man offering you free candy and promising there is more in the back of his van.

      --
      I am a free slashdotter. I will not be modded, blogged, DRM'd, patented, podcasted or RFID'd. My life is my own.
    5. Re:Names and email addresses? by JimWise · · Score: 2

      I am confused how you can say "They are not saying that the only information taken was names and emails" and "They have not said that the personal information was limited to names and email addresses." To me that is pretty much exactly what the sentence that you quoted says: "We want to assure you that the only information that was obtained were names and email addresses."

      I could understand saying that it takes a leap of faith to believe that was all that was acquired from the system since from the message we can't determine that it did not also contain other personal data. Since I got e-mails from both Kroger and Brookstone with a few hours of each other that were quite similar, it seems that both were most likely using the same e-mail service provider and that the databases were set up in a similar way. The Brookstone e-mail was a bit more specific, stating:

        "We want to assure you that the only information that may have been obtained was your first name and e-mail address. Your account and any other personally identifiable information are not stored in this system and were not at risk."

      Since no other personally identifiable info was even stored on the system, let alone in the same database, I am pretty confident that it truly was only names and e-mail addresses that were compromised.

      I also do not understand how you can say that if later on it comes to light that purchasing details were also stolen no one would be able to fault them. Even Kroger explicitly stated that only names and e-mails were compromised. If they used a different system than Brookstone, or Brookstone was giving false information in their e-mail, and it comes to light that info beyond names and e-mail were compromised, then yes, that goes well beyond the extent of their original notice and they would definitely be taken to task for lying to and misleading their customers. Maybe if they had only stated "Our e-mail service was compromised and customer names and e-mail addresses may have been obtained by an unauthorized person" you would have a point since that would not explicitly state that that was ALL that was at risk, but both Kroger and Brookstone have made it quite clear that only names and e-mail addresses were compromised and no other customer related data was involved.

      "We want to assure you that the only information that was obtained were names and email addresses."

      They are not saying that the only information taken was names and emails. They want to say that such is the case. From what I can tell about notification laws, this is to comply with the law. They have notified customers that their personal data has been stolen. They have not said that the personal information was limited to names and email addresses. A reasonable person may interpret it that way, but if in a week they say purchasing details were also stolen, no one is going to be able to fault them in any meaningful way. Krogers has complied with the law. If people interpret this compliance to be beyond the scope of the compliance, then that is a personal problem.

  3. Did Kroger use same service as Brookstone, others? by JimWise · · Score: 4, Interesting

    I got the e-mail from Kroger within three hours of receiving a very similar e-mail from Brookstone. Although not identical, the two e-mails are quite similar. Foes anyone know who this e-mail service provider is and what other companies may have been affected by this? It is nice to see Kroger and Brookstone act quickly to let their customers know the extent of the data that was compromised, but if this is the fault of a common e-mail service provider I would think that many more than just two companies were affected by this, and interesting to see how different companies react to the same issue. It is also good to see that the third party e-mailer is given only the base details necessary for them to perform their function and are not provided with street addresses or other unnecessary personally identifiable information.

    ++++++++++++Important E-Mail Security Alert++++++++++++

    Dear Valued Brookstone Customer,

    On March 31, we were informed by our e-mail service provider that your e-mail address may have been exposed by unauthorized entry into their system. Our e-mail service provider deploys e-mails on our behalf to customers in our e-mail database.

    We want to assure you that the only information that may have been obtained was your first name and e-mail address. Your account and any other personally identifiable information are not stored in this system and were not at risk.

    Please note, it is possible you may receive spam e-mail messages as a result. We want to urge you to be cautious when opening links or attachments from unknown third parties.

    In keeping with best industry security practices, Brookstone will never ask you to provide or confirm any information, including credit card numbers, unless you are on our secure e-commerce site, Brookstone.com.

    Our service provider has reported this incident to the appropriate authorities.

    We regret this has taken place and for any inconvenience this may have caused you. We take your privacy very seriously, and we will continue to work diligently to protect your personal information.

    Sincerely,

    Brookstone Customer Care

  4. Re:Emails? by frozentier · · Score: 2

    I don't show up at Kroger (there aren't any close to where I live), but if I did, they would be hearing from me.

    And exactly what would you do? Would you rip some 20 year old who is running the office, who has nothing to do with any of this? Would you see the store manager and rip him a new one, when HE has nothing at all to do with what the headquarters does?

  5. Re:Why? by JimWise · · Score: 2

    There are several reasons. I am one of those who gave my info to Kroger, and doing so has let me save some money, partly because I also did the same with Giant Eagle (the other large grocery store chain in my area.) I pass both of them pretty much every day. Each has good weekly deals, and they both send e-mails of the deals the day before they begin. It makes it easy for me to compare and see which store to stop by in a given week and what to pick up where. They are the same ad fliers that are in the Sunday paper, but I have not bothered to pay for the Sunday (or any other day) paper in years. The on-line account also goes a bit beyond the paper ads. They allow you to "upload" special coupons onto your Loyalty Card. You scroll through the list of optional coupons, mark which ones you want to take advantage of, and instead of clipping coupons and having to remember to bring them into the store with you, they are "loaded" onto your Loyalty Card and automatically used when you go through the check-out.

    One other non-discount reason to give them your e-mail and use the Loyalty Card is that if an item is recalled they can track who bought the item and send them an e-mail stating what was recalled, the reason it was recalled, and what to do with the item to safely fix it or discard it or return it for a refund.

  6. Re:Emails? by MysteriousPreacher · · Score: 5, Funny

    You'd be dismayed at how often people actually believe that the guy behind the counter or on the end of a tech support line is the best target for a discussion about corporate policies and general unhappiness with capitalism and assorted laws of physics. The latter came up more than once in tech support. I declined to alter the universe at a fundamental level.

    --
    -- Using the preview button since 2005
  7. Re:Why does a grocery store need your email addres by MysteriousPreacher · · Score: 2

    So the Jewish conspiracy of reptile overlords in charge of Kroger can send out adverts that will in turn give them enough revenue to fund their NWO?

    --
    -- Using the preview button since 2005
  8. Re:Why does a grocery store need your email addres by The_Wilschon · · Score: 2

    So they can notify you when your email address gets stolen, of course! Didn't think that one through, didja?

    --
    SIGSEGV caught, terminating

    wait... not that kind of sig.
  9. Third party by Zedrick · · Score: 3, Insightful

    "third-party vendor Kroger uses to manage its customer "... why the hell are they using a third-party anything to manage THEIR customer data?

    Oh, oh, I know! Because they don't care about their customers data, and want the option to sue + put the blame on someone if something goes wrong.

    1. Re:Third party by Gaygirlie · · Score: 2

      "third-party vendor Kroger uses to manage its customer "... why the hell are they using a third-party anything to manage THEIR customer data?

      Oh, oh, I know! Because they don't care about their customers data, and want the option to sue + put the blame on someone if something goes wrong.

      Ignorant comment.

      Why do people outsource things to others when they can do it themselves? Like for example, why do people hire a company to fix their cars? Indeed: because the company has all the tools and expertise already, you'd have to first train yourself and then get all the necessary tools in order to do it. It's exactly the same with companies: if someone else can do the same job better, easier and cheaper than if you did it yourself then obviously it makes more sense to get the someone else to do it.

    2. Re:Third party by DerekLyons · · Score: 2

      Or maybe it's cheaper/more efficient to hire a third party so Kroger can concentrate on their actual business - selling groceries.

    3. Re:Third party by joost · · Score: 2

      Take a deep breath there, cowboy.

      It makes sense to offload e-mail delivery to a dedicated party. SMTP best practices, RBLs, proper headers, server capacity, bounce handling are essential to responsible e-mail campaigns.

      Almost no business has the intimate knowledge required to operate such a thing in-house. The BEST thing to do it outsource it to a mailing list provider. And the best practice op top of that is to just copy name + email address to the third party, as they have done. And after the breach they have informed their customers proactively too.

      Srsly, they did everything 100% right.

  10. Good Luck by Cylix · · Score: 2

    Spamming Brent Spiner, Johnny Bravo and Linus Torvalds!

    There is no actual verification on those little forms. Though I did get a strange look for the Johnny Bravo one I submitted.

    One of my friends even made one with the name Edgar Poe and he used this card specifically to purchase beer.

    --
    "You should always go to other people's funerals; otherwise, they won't come to yours." -- Yogi Berra
  11. Re:Kroger should be required to stop collecting in by Gaygirlie · · Score: 2

    The punishment for the leak should be that Kroger has to abandon any attempts to collect or store information about their customers.

    They're a grocery store. They don't need that info.

    Why should they be forced to do that? It's not Kroger's fault in the first place, it's Epsilon who made the mistake.

  12. nancy drew's lost email by anyaristow · · Score: 2

    I didn't get the notification at my email address: nancydrew@example.com. Does that mean my data wasn't stolen?

  13. Re:Emails? by MachineShedFred · · Score: 2

    You might be surprised about Kroger - they have 17+ banners they do business with. There might not be a Kroger store, but there might be a Fry's, Smith's, Ralph's, Fred Meyer, QFC, or King Soopers.

    They are all Kroger.

    --
    Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.