Kroger Co. Hit with Class Action Claiming Employee Info Compromised in Accellion Data Breach

New to ClassAction.org? Read our Newswire Disclaimer

A proposed class action aims to hold The Kroger Co. accountable for alleged damages stemming from the “large and preventable” Accellion data breach.

The 43-page lawsuit claims Kroger, according to its Notice of Data Breach letter, learned of the incident on January 23, 2021 yet did not provide notice to those affected—namely, current and former employees—until nearly two months later. According to the suit, the data breach—during which third-party vendor Accellion’s FTA secure file transfer servers were accessed by authorized parties—actually occurred in December 2020. 

The complaint alleges Kroger “was aware and had full knowledge” that Accellion’s data security on the platform used by the defendant was “lax.” Prior to the breach, Accellion, the suit says, encouraged Kroger to “move to a newer and more secure transfer platform” and away from the outdated FTA file-transfer product. 

“For years, Accellion has urged that its customers (such as Kroger) migrate to its newer, more secure product ‘Kiteworks,’ which was launched roughly four years ago, yet even though advised to update its security by its own experts Kroger still failed to maintain adequate security,” the suit alleges.

As the lawsuit tells it, Kroger is among the companies who, despite the prevalence of sizeable data breaches affecting millions each year, have “failed to meet [their] obligation to protect the sensitive personal identifying information entrusted to them by current and former employees.”

“Despite its role in managing so much sensitive and personal information, Kroger failed to utilize a competent third-party data transfer company when handling and/or transferring Kroger’s current or former employees’ [personally identifiable information], and Kroger chose to use an outdated and unsecure transfer platform,” the case alleges, stressing Kroger had a responsibility to ensure its third-party vendors had in place reasonable and appropriate data safeguards. 

According to the complaint, the personal information of current and former Kroger employees that was exposed in the Accellion data breach included names, email addresses, contact details, birth dates, Social Security numbers and, for some, salary information, including net and gross pay and withholdings. Per the suit, proposed class members whose data has been exposed now have a much higher risk of identity theft and “cybercrimes of all kinds.” 

The case looks to represent all persons in the United States who are employees or former employees of Kroger, or any of its affiliates, parents or subsidiaries, who had their personal information compromised as a result of the data breach that occurred in or around December 2020.

Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s free weekly newsletter here.