Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Hackers Steal Kroger's Customer List

timothy posted more than 3 years ago | from the now-they-know-who-buys-food dept.

Privacy 185

wiredmikey writes "Kroger, the nation's largest traditional grocery retailer with more than 338,000 associates, notified customers today of a breach of the database that stores its customers' names and email addresses. The company said the incident occurred at Epsilon, the third-party vendor Kroger uses to manage its customer email database." Reader SatanClauz SatanClauz quotes the email that went out to Kroger customers ("We were notified and became aware of unauthorized access to our email list by someone outside our company. We want to assure you that the only information that was obtained were names and email addresses."), writing "At least they were smart enough to separate the email db from the rest of customer information! — or so they say..."

cancel ×

185 comments

Sorry! There are no comments related to the filter you selected.

Tortious? (2)

mr100percent (57156) | more than 3 years ago | (#35693384)

I wonder if this is something you can sue over. For example, is reusing the same password (as in the case of HBGary) considered negligent?

Re:Tortious? (1)

clang_jangle (975789) | more than 3 years ago | (#35693408)

When filling out those "super saver" card deals I always give them my landline phone number, a throwaway email address, and my name. As a Kroger's shopper, I feel vindicated today. :)

Re:Tortious? (1)

morari (1080535) | more than 3 years ago | (#35693588)

I didn't realize that anyone filled them out with real information. Why would you? To help Kroger track trends and marketing? Forget that, just give me the discount. :P

Re:Tortious? (1)

Moderator (189749) | more than 3 years ago | (#35693634)

Okay. Now pay with the credit card that lists your name and zip code.

Re:Tortious? (1, Flamebait)

GooberToo (74388) | more than 3 years ago | (#35693808)

The sad thing is, I'm sure the masses were all going, "Ohhh burn! Take that!", before you replied.

Re:Tortious? (0)

Anonymous Coward | more than 3 years ago | (#35694100)

Why would I do that? I pay for groceries with cash (at least until the government succeeds in making cash illegal). And yes, you can easily decouple the store's ability to track your purchases to the discount card and your name by using the ATM just outside (or sometimes just inside) the door of the store to get your cash. Then use cash at the checkout with your discount card. Remaining mostly anonymous at the store isn't difficult at all. (Of course it helps if you are using a Credit Union that doesn't charge you ATM fees).

Re:Tortious? (1)

morari (1080535) | more than 3 years ago | (#35694314)

Good thing I use cash for just about everything then, isn't it? ;)

Re:Tortious? (2)

hedwards (940851) | more than 3 years ago | (#35693638)

If only they would give a discount. Around here when the discount cards rolled out there was an immediate price hike on the regular price to a similar amount as the discount. The net effect being that you weren't saving money with the discount cards, just not being gouged as badly.

Why they were allowed to do that is beyond me, because the customers didn't have much choice given that all the major grocery chains started doing it about the same time and the smaller ones are much more expensive.

Re:Tortious? (1)

MimeticLie (1866406) | more than 3 years ago | (#35694058)

Meijer doesn't have discount cards. They were even touting that fact in their ad campaigns when Kroger introduced them, IIRC. However, they only have stores in Illinois, Indiana, Ohio, Kentucky, and Michigan.

Re:Tortious? (3, Insightful)

by (1706743) (1706744) | more than 3 years ago | (#35693728)

I didn't realize that anyone filled them out with real information. Why would you? To help Kroger track trends and marketing? Forget that, just give me the discount. :P

Filling them out with fake information is almost as useful for them (assuming you do indeed use the card). Think of it as a click-tracking cookie, but for a supermarket instead of a web site. Sure, it's nice to have all the personal information you can get, but it's still useful without that.

Certain demographic statistics will get screwed up, of course (wow, that 82 year old woman sure loves her beer, Oreos and frozen pizza!). However, a huge reason that discount cards are issued is for statistical information on purchases relative to each other. If you're in a supermarket and you see two seemingly unrelated items next to each other, there's a chance that there's a purchasing correlation.

Re:Tortious? (2)

metalmaster (1005171) | more than 3 years ago | (#35693776)

At my local ACME Market there's Hormel sliced pepperoni on the end of just about every food related isle in the store

Re:Tortious? (1)

koffie (174720) | more than 3 years ago | (#35693928)

That is why I have three different customer loyalty cards for a local supermarket chain. One I use for beer, one for frozen pizza and the third for Oreos.

Do I ever need all three at once? No, I am very organised. Besides, I *only* ever use a loyalty card when there is actually a discount to be had by using it. I would be very suspicious if there was always a discount with the card, it means they are ripping you off. And I don't shop when I know they are a rip-off.

Re:Tortious? (2, Insightful)

Anonymous Coward | more than 3 years ago | (#35694064)

Filling them out with fake information is almost as useful for them (assuming you do indeed use the card).

So what? The idea is to protect my privacy, not try to intentionally be a dick to them. I'm glad the fake information I gave them is still useful.

Re:Tortious? (1)

jackdub (1938908) | more than 3 years ago | (#35693782)

Many friends of mine simply used a 'shared phone number' to give the checkout clerk when they asked. Works like a charm and you only need to fill out the app card once.

Re:Tortious? (0)

Anonymous Coward | more than 3 years ago | (#35693836)

About 10 years ago I worked for Kroger and was given one of those cards as an employee, but with a flag that gave an additional 10% discount on all store-brand products. I assume it was pre-filled with my personal information, but I continued using it for years after I was an employee (since they never turned off the extra discount).

Re:Tortious? (1)

XorNand (517466) | more than 3 years ago | (#35694026)

Ever use one of these cards in conjunction with a credit card? They have your real info now.

Re:Tortious? (1)

TheGratefulNet (143330) | more than 3 years ago | (#35694156)

the local 'loyalty cards' don't require anything from you. they hand them out and you can take their stupid form, tell them 'I'll do this later' and then just use the card. the most they can get on you is what you buy, but you stay anon.

well, as long as you pay with cash only. doh! when you pay via authenticated means, you can probably guess they then can bind your name to your purchases.

but use of cash and those cards that you don't fill out (at all) are not a bad way to work the system. its trying to work you, why not work it right back at 'em?

Re:Tortious? (1)

Penguinisto (415985) | more than 3 years ago | (#35693642)

sibling is right... most times, I don't even have to fill them out, instead feigning time pressures: "I have to be somewhere pretty soon - is it okay if I bring this back?" usually gets me the card with zero information to the store.

Re:Tortious? (0)

Anonymous Coward | more than 3 years ago | (#35693758)

Legally this could be considered a fraud...not that I side with the retailers : "mislieading with intention to obtain something of a value".

Re:considered (1)

TaoPhoenix (980487) | more than 3 years ago | (#35693784)

That's why I ask sharply if the info is actually required, and when they first try to hedge that it is, I begin cancelling my entire sale at which point they grudgingly admit "well, uh, really it's not, my manager just told me to ask".

Re:Tortious? (1)

symbolic (11752) | more than 3 years ago | (#35693882)

Not really. I've been handed new cards a number of times - they don't care if it's filled out or not. Of course, they'd like it to be, but I never have....even once. Albertson's would give you a card and give you a choice as to whether or not you provided any info. KS is a bit less flexible, but it's not that much of an ordeal to get past that.

Discount cards? They are a farce! (1)

wfstanle (1188751) | more than 3 years ago | (#35693720)

I refuse to play the "discount card" game. When I make a purchase at the local CVS, they ask if I have a discount card. I say "no" and the clerk scans the store copy and I get the discount anyways without giving personal information. Often when going to stores that do not have a "store card", another customer offers their card and the clerk scans that without objection. I have even encountered clerks that have their personal card that they scan. These "discount cards" are a farce!

Re:Discount cards? They are a farce! (0)

Anonymous Coward | more than 3 years ago | (#35693962)

I have a (insert large shopping chain name) discount card. I was in line and the line was busy and the cashier asked me if I wanted a card. So he activated it, scanned it and gave it to me and asked me to fill in the info on the little folder and give it back to the store. I never did that, so my card is nicely anonymous.

Re:Discount cards? They are a farce! (1)

jhigh (657789) | more than 3 years ago | (#35694130)

The only reason to use them is for gas points or other such rewards. I occasionally forget my discount card and use the store card, but at any major grocery store that gives gas points, I've found it worth it to have a card.

Re:Tortious? (1)

InsaneMosquito (1067380) | more than 3 years ago | (#35694070)

I feel even more vindicated. Every time I forget my card, they ask for the phone number I used to get it. After trying the two numbers I've had for years and neither works the cashier gets frustrated and asks the next customer in line if I can borrow their card.

Re:Tortious? (1)

AftanGustur (7715) | more than 3 years ago | (#35694448)

When filling out those "super saver" card deals I always give them my landline phone number, a throwaway email address, and my name. As a Kroger's shopper, I feel vindicated today. :)

To check their security I always give them the name of my uncle .. Little Bobby Tables. [xkcd.com]

Re:Tortious? (1)

MysteriousPreacher (702266) | more than 3 years ago | (#35693612)

Is reusing the same password (as in the case of HBGary) considered negligent?

One would hope so. In Europe anyway the data registrars could get pretty snarky if a data controller were to negligent with personal data. Compliance does vary though. My bank does a decent job, while food delivery places tend to be pretty piss-poor. If you have a phone number of someone and a name, and you'd like to find their address, use the local pizza places. Assuming that person orders pizza, chances are if you give the name and number of that personal, the guy on the phone will give you the address. Been pretty rare to find someone here who won't tell me my address, and I don't even to get sneaky with it.

Re:Tortious? (1)

MysteriousPreacher (702266) | more than 3 years ago | (#35693618)

English, motherfucker, I don't speak it.

*Been pretty rare to find someone on a pizza line here who won't tell me my address, and I don't even to get sneaky in my questioning.*

Re:Tortious? (1)

CastrTroy (595695) | more than 3 years ago | (#35693946)

Thanks to the advent of the internet, you can usually find out someone's name, phone number, and address, with just one of those pieces of information. Pick a random address, look it up on a reverse directory, and you can find out the name, and the phone number of the person who lives there. Unless they don't have a land line, or they are pretty careful with their privacy, it works almost every time.

Good FUCKING Grief. (1)

Frosty Piss (770223) | more than 3 years ago | (#35694270)

I wonder if this is something you can sue over.

Yes, some lawyer will gin up a "class action" suite to address the irreparable harm that mom, dad, gramps, and Cletus have suffered as a result of the disclosure of their almost certainly widely available email addy - and the fact that grandpa regularly buys extra large lubricated Trojans. And as is standard practice, the lawyer will walk away with 10 or 15 million while the harmed parties will get a 50 cent off anything coupon.

Yes, let's SUE! SUE! SUE! to address this heinous disregard for personal privacy of your disposable Hotmail account!

Kruger is "The Man", FUCK The Man! Stick it to The Man! SUE! SUE! SUE!

Emails? (0)

jhigh (657789) | more than 3 years ago | (#35693386)

These days, email addresses are about as valuable as anything. Spam, phishing scams, etc. are all capable of causing infinite problems for people.

I don't show up at Kroger (there aren't any close to where I live), but if I did, they would be hearing from me.

Re:Emails? (2)

frozentier (1542099) | more than 3 years ago | (#35693458)

I don't show up at Kroger (there aren't any close to where I live), but if I did, they would be hearing from me.

And exactly what would you do? Would you rip some 20 year old who is running the office, who has nothing to do with any of this? Would you see the store manager and rip him a new one, when HE has nothing at all to do with what the headquarters does?

Re:Emails? (5, Funny)

MysteriousPreacher (702266) | more than 3 years ago | (#35693484)

You'd be dismayed at how often people actually believe that the guy behind the counter or on the end of a tech support line is the best target for a discussion about corporate policies and general unhappiness with capitalism and assorted laws of physics. The latter came up more than once in tech support. I declined to alter the universe at a fundamental level.

Re:Emails? (1)

jhigh (657789) | more than 3 years ago | (#35693910)

Actually, I would contact their corporate offices and asked to be removed from their database entirely and to have my account with them deleted completely. I didn't mean that I would be seeking retribution, only to make sure that my information isn't further compromised in the future.

Names and email addresses? (3, Insightful)

ruiner13 (527499) | more than 3 years ago | (#35693388)

So, they got information that sites like Facebook make completely public anyway? I'm sorry, I guess I'm just all out of unwarranted outrage and fear today. Wake me up when they have credit card numbers, SSNs, or something like my mother's maiden name. You know, stuff that can actually be used for something malicious. All they can do now is send me an email with *gasp* my name in it!

Re:Names and email addresses? (3, Insightful)

Anonymous Coward | more than 3 years ago | (#35693430)

So, they got information that sites like Facebook make completely public anyway? I'm sorry, I guess I'm just all out of unwarranted outrage and fear today. Wake me up when they have credit card numbers, SSNs, or something like my mother's maiden name. You know, stuff that can actually be used for something malicious. All they can do now is send me an email with *gasp* my name in it!

Does that tell you something about this breach, or about the culture surrounding Facebook?

Not everybody wants their online contact info to be an open book. Not everyone on this customer list has a Facebook account. You can join the crowd that lowers the bar on privacy expectations and you will have much company. There will be many millions nodding their heads and agreeing with you and validating your opinion. The part you don't seem to appreciate is that they embrace it voluntarily. Not everyone does. That's why it took a system compromise to get this data.

Re:Names and email addresses? (1)

hedwards (940851) | more than 3 years ago | (#35693652)

True, but the cost of not participating is getting bigger all the time. There's a lot of discounts you just can't get if you don't have a facebook account and good luck with a lot of those contests if you aren't on facebook or twitter.

Fortunately, it hasn't gotten to the point of companies being allowed to advertise just on social networking sites, hopefully somebody will realize that it's fundamentally a bad idea if allowing it comes up for a vote in congress.

Re:Names and email addresses? (1)

koffie (174720) | more than 3 years ago | (#35694188)

Hello? What are you talking about? "cost of not participating"? Are you really afraid of no longer being able to buy food or clothing without Facebook and Twitter?

Planet Earth may well run out of food to feed us all, but Facebook and Twitter are quite irrelevant when it comes to essential needs.

If you are trolling, congrats, I for one fell for your scam.

If on the other hand you truly care about "discounts", consider for a moment the possibility that you are deluded. A discount is nothing more than just a trick to lure customers. If you don't understand this, don't bother. Just spend all your money on discounts and be merry. It's the Merrycan Dream I believe. ;-)

Re:Names and email addresses? (0)

Anonymous Coward | more than 3 years ago | (#35693438)

As FDR said (sortof) "With great power comes great responsibility".

The internet is an amazingly powerful tool but people ignore the implications of its use.

Unless you protect yourself you're going to get hurt. In some ways its like Marie Curie working with radioactive materials but the
difference is that in those days people didn't know any better. If Curie was doing the same research today people would call her an idiot
(and a terrorist I guess) and quite rightly so.

These days most people are content to share every detail of their lives with every stranger they meet on the internet. There are enough
warning signs so if people are stupid enough to use the same email address and password for every site then all I can do is laugh.

Re:Names and email addresses? (1)

MysteriousPreacher (702266) | more than 3 years ago | (#35693456)

You're doing it wrong if Facebook is by default making your email address completely public, or you're not the kind of person to worry too much anyway about this kind of thing. Why not have a nice cup of tea and wait for the next story to pop out?

Re:Names and email addresses? (1)

ruiner13 (527499) | more than 3 years ago | (#35694140)

Agreed. I never said that Facebook was the golden model of privacy. I only meant to imply that if we're not completely outraged about what Facebook does, than something like this does not merit panic or being spread like gossip. The people affected should be notified properly so they can understand the situation, but spreading it as if it were a major security break is disingenuous. It is a break, but does not need to be treated as a meltdown.

Re:Names and email addresses? (2)

fermion (181285) | more than 3 years ago | (#35693460)

"We want to assure you that the only information that was obtained were names and email addresses."

They are not saying that the only information taken was names and emails. They want to say that such is the case. From what I can tell about notification laws, this is to comply with the law. They have notified customers that their personal data has been stolen. They have not said that the personal information was limited to names and email addresses. A reasonable person may interpret it that way, but if in a week they say purchasing details were also stolen, no one is going to be able to fault them in any meaningful way. Krogers has complied with the law. If people interpret this compliance to be beyond the scope of the compliance, then that is a personal problem.

Re:Names and email addresses? (2)

MysteriousPreacher (702266) | more than 3 years ago | (#35693544)

Doesn't that kind of require at least three seemingly unfounded assumptions?

1) The assumption that purchasing details were stolen
2) Kroger Co. is lying about what was disclosed (otherwise why should we castigate them for being unable to announce something before it was known)
3) It'll be less damaging to have to make two separate announcements, thus prolonging the media story, than a single announcement covering all of what they currently know

Re:Names and email addresses? (0)

Anonymous Coward | more than 3 years ago | (#35693576)

Learn2read. Visit borders or b&n, or powells.

Re:Names and email addresses? (2)

JimWise (1804930) | more than 3 years ago | (#35693598)

I am confused how you can say "They are not saying that the only information taken was names and emails" and "They have not said that the personal information was limited to names and email addresses." To me that is pretty much exactly what the sentence that you quoted says: "We want to assure you that the only information that was obtained were names and email addresses."

I could understand saying that it takes a leap of faith to believe that was all that was acquired from the system since from the message we can't determine that it did not also contain other personal data. Since I got e-mails from both Kroger and Brookstone with a few hours of each other that were quite similar, it seems that both were most likely using the same e-mail service provider and that the databases were set up in a similar way. The Brookstone e-mail was a bit more specific, stating:

  "We want to assure you that the only information that may have been obtained was your first name and e-mail address. Your account and any other personally identifiable information are not stored in this system and were not at risk."

Since no other personally identifiable info was even stored on the system, let alone in the same database, I am pretty confident that it truly was only names and e-mail addresses that were compromised.

I also do not understand how you can say that if later on it comes to light that purchasing details were also stolen no one would be able to fault them. Even Kroger explicitly stated that only names and e-mails were compromised. If they used a different system than Brookstone, or Brookstone was giving false information in their e-mail, and it comes to light that info beyond names and e-mail were compromised, then yes, that goes well beyond the extent of their original notice and they would definitely be taken to task for lying to and misleading their customers. Maybe if they had only stated "Our e-mail service was compromised and customer names and e-mail addresses may have been obtained by an unauthorized person" you would have a point since that would not explicitly state that that was ALL that was at risk, but both Kroger and Brookstone have made it quite clear that only names and e-mail addresses were compromised and no other customer related data was involved.

"We want to assure you that the only information that was obtained were names and email addresses."

They are not saying that the only information taken was names and emails. They want to say that such is the case. From what I can tell about notification laws, this is to comply with the law. They have notified customers that their personal data has been stolen. They have not said that the personal information was limited to names and email addresses. A reasonable person may interpret it that way, but if in a week they say purchasing details were also stolen, no one is going to be able to fault them in any meaningful way. Krogers has complied with the law. If people interpret this compliance to be beyond the scope of the compliance, then that is a personal problem.

Re:Names and email addresses? (1)

postbigbang (761081) | more than 3 years ago | (#35693660)

What it shows is that attacks will continue against just about every major US chain and their *contractors*, because there's a payoff for stealing info. The Kroger incident is one of the ones that we know of; there are probably many more that we have no idea about because they weren't detected.

Corporate security ought to be flawless, and it's not and their contractors should be held to the same high standarrds. This, along with TJMax and any number of breaches is a compelling reason to rethink garnering customer data at all, and probably the concept of expunging it quickly after use, and forbidding resale of the data. But the marketers will never do this, even though they should.

Re:detected (1)

TaoPhoenix (980487) | more than 3 years ago | (#35693850)

I dunno - I trust "Joe in IT" more than that. However, the pointy heads are good at rolling stuff under rugs, so even if it was detected it would be instantly classified.

Re:Names and email addresses? (1)

Anonymous Coward | more than 3 years ago | (#35693680)

I'm posting AC as I have no authority to speak.

I've worked at two of the 3 largest data brokers that fit into the same tier as Epsilon.

I can tell you that they do take data very seriously. There are lots of legal rules that come into effect for data security when it comes to credit info, but top tier companies like this apply the same rigor to all data that they hold. You won't even find personally identifiable info on the same server as credit data for example.

No company is immune to attacks. It's a fact of life. It's just really trendy right now to make a big deal out of every event large or small. I know it's fun to throw stones and pretend that they are all malicious, incompetent and misleading, but the reality is that it's lots of folks working hard to do the best possible.

So sit back, breathe and at least attempt to be rational.

Re:Names and email addresses? (1)

quickgold192 (1014925) | more than 3 years ago | (#35693698)

They have not said that the personal information was limited to names and email addresses.

Yes, they have. The whole "We want to let you know" construct is not a literal construct in modern English; it's simply a redundancy that allows you to open a sentence slowly to avoid sounding curt. When Amazon tells me "We just wanted to let you know that your order has shipped," they're not just sharing their feelings with me, they're let me know that my order has shipped. They wanted to let me know it, and now they're letting me know it.

In this case, the literal usage of those word (trying to tell me that they *want* to let me know something that may or may not be true) is not just deceitful, it's incorrect usage and bad grammar. Simply put, Krogers is telling us that only email addresses and names were stolen, and any attempt by Krogers to argue to the contrary is, frankly, hogwash.

Re:Names and email addresses? (1)

rednip (186217) | more than 3 years ago | (#35693490)

So, they got information that sites like Facebook make completely public anyway?

So, facebook is supposed to be an example of default expected privacy? God, I hope not.

Re:Names and email addresses? (2)

click2005 (921437) | more than 3 years ago | (#35693566)

Facebook is more like the strange old man offering you free candy and promising there is more in the back of his van.

US Bank Too (1)

Serenissima (1210562) | more than 3 years ago | (#35693396)

I just got an email from US Bank this morning as well about the data breach with Epsilon. I wonder how many more companies are affected by this one third-party company.

Re:US Bank Too (0)

Anonymous Coward | more than 3 years ago | (#35693476)

Partial client list is in the drop down on this page: http://www.epsilon.com/Case%20Studies/p43-l1

Why? (1)

Anonymous Coward | more than 3 years ago | (#35693398)

Why would anyone give their email address to a grocery retailer?

Re:Why? (0)

Anonymous Coward | more than 3 years ago | (#35693424)

Coupons.

Re:Why? (1)

Sulphur (1548251) | more than 3 years ago | (#35693574)

Think of the Epsilons.

Re:Why? (2)

JimWise (1804930) | more than 3 years ago | (#35693470)

There are several reasons. I am one of those who gave my info to Kroger, and doing so has let me save some money, partly because I also did the same with Giant Eagle (the other large grocery store chain in my area.) I pass both of them pretty much every day. Each has good weekly deals, and they both send e-mails of the deals the day before they begin. It makes it easy for me to compare and see which store to stop by in a given week and what to pick up where. They are the same ad fliers that are in the Sunday paper, but I have not bothered to pay for the Sunday (or any other day) paper in years. The on-line account also goes a bit beyond the paper ads. They allow you to "upload" special coupons onto your Loyalty Card. You scroll through the list of optional coupons, mark which ones you want to take advantage of, and instead of clipping coupons and having to remember to bring them into the store with you, they are "loaded" onto your Loyalty Card and automatically used when you go through the check-out.

One other non-discount reason to give them your e-mail and use the Loyalty Card is that if an item is recalled they can track who bought the item and send them an e-mail stating what was recalled, the reason it was recalled, and what to do with the item to safely fix it or discard it or return it for a refund.

Re:Why? (1)

adolf (21054) | more than 3 years ago | (#35693966)

One other non-discount reason to give them your e-mail and use the Loyalty Card is that if an item is recalled they can track who bought the item and send them an e-mail stating what was recalled, the reason it was recalled, and what to do with the item to safely fix it or discard it or return it for a refund.

Yeah, the recall stuff is nice. Sometimes.

I bought some ground beef from Kroger using the card. I cooked it and ate it. It was yummy.

A couple of weeks later, I bought something else from Kroger, and again used my card. The machine printed an extra-long receipt, with recall notification on the beef that I'd bought before.

The instructions said to throw it away, or either return the tainted goods or the original receipt for a refund.

I, of course, already ate the stuff, and tossed the receipt (who actually keeps receipts for groceries?). So there was no option for me to get my money back, EVEN THOUGH THEY ALREADY KNEW THAT I BOUGHT IT.

I don't buy anything at Kroger, anymore. That's just one of the reasons why. Their policies are bad, their employees are idiots, their prices aren't all that great, their service is opposite of helpful, and I've found more expired and just plain bad food on their shelves than I have anywhere else. There's plenty of cheaper, better, friendlier, cleaner places with fresher food around here, and none of them have a loyalty card.

Tracked??!!? (1)

ehrichweiss (706417) | more than 3 years ago | (#35693416)

I just had a conversation with guy at a gas station as to why I didn't have one of their rewards cards. He kept assuring me that I wouldn't be tracked and yet I just don't believe that. For the record, assuming this list is for their "Plus Cards", we are likely on that list buuut only under a bogus name...or maybe I found a card that someone lost. Regardless, if it didn't save me $40 every time I went to the store, I wouldn't have it; saving $3 at a gas station every 3 weeks isn't enough of a reward to even bother filling out their "application". We call that "Jumping over dollars to pick up dimes"

Re:Tracked??!!? (0)

Anonymous Coward | more than 3 years ago | (#35693716)

The only reason stores offer a rewards program is so that they can track your purchases over time, both for aggregate modelling of consumer behavior ("customers who buy X also frequently buy Y") and for targeted marketing for you ("we noticed you bought X; many of your fellow customers have also been very happy with Y").

Re:Tracked??!!? (1)

symbolic (11752) | more than 3 years ago | (#35693924)

Unfortunately, nobody has any idea where *else* this data winds up. What would stop a company from selling it to other commercial interests? Any time you provide identifying information, it should be a (sad) expectation that it will be prostituted in some manner by the company in its possession. Bottom line? Protect yourself.

Did Kroger use same service as Brookstone, others? (4, Interesting)

JimWise (1804930) | more than 3 years ago | (#35693420)

I got the e-mail from Kroger within three hours of receiving a very similar e-mail from Brookstone. Although not identical, the two e-mails are quite similar. Foes anyone know who this e-mail service provider is and what other companies may have been affected by this? It is nice to see Kroger and Brookstone act quickly to let their customers know the extent of the data that was compromised, but if this is the fault of a common e-mail service provider I would think that many more than just two companies were affected by this, and interesting to see how different companies react to the same issue. It is also good to see that the third party e-mailer is given only the base details necessary for them to perform their function and are not provided with street addresses or other unnecessary personally identifiable information.

++++++++++++Important E-Mail Security Alert++++++++++++

Dear Valued Brookstone Customer,

On March 31, we were informed by our e-mail service provider that your e-mail address may have been exposed by unauthorized entry into their system. Our e-mail service provider deploys e-mails on our behalf to customers in our e-mail database.

We want to assure you that the only information that may have been obtained was your first name and e-mail address. Your account and any other personally identifiable information are not stored in this system and were not at risk.

Please note, it is possible you may receive spam e-mail messages as a result. We want to urge you to be cautious when opening links or attachments from unknown third parties.

In keeping with best industry security practices, Brookstone will never ask you to provide or confirm any information, including credit card numbers, unless you are on our secure e-commerce site, Brookstone.com.

Our service provider has reported this incident to the appropriate authorities.

We regret this has taken place and for any inconvenience this may have caused you. We take your privacy very seriously, and we will continue to work diligently to protect your personal information.

Sincerely,

Brookstone Customer Care

Re:Did Kroger use same service as Brookstone, othe (0)

Anonymous Coward | more than 3 years ago | (#35693706)

TFA blames Epsilon for the breach, and Brookstone also uses Epsilon:

http://www.epsilon.com/Brookstone/p430-l2

So, I'd guess the answer is 'yes' to both questions.

Hm (1)

Tripp-phpBB (1912354) | more than 3 years ago | (#35693426)

Why am I not surprised?

Satan Clauz Satan Clauz (0)

Anonymous Coward | more than 3 years ago | (#35693462)

Super cool handle, bro

Who else is using Epsilon? (1)

140Mandak262Jamuna (970587) | more than 3 years ago | (#35693492)

So Kroger's customer list is stolen from Epsilon! I wonder what other companies are using Epsilon to manage their customer list. So we need to identify who is managing the client list of Epsilon. If that site is known to be hackable .. hee... hee... :-)

Re:Who else is using Epsilon? (1)

hedwards (940851) | more than 3 years ago | (#35693688)

That's a serious problem. Some companies are more transparent about it than others are, but a financial services firm can have quite a few contractors doing the actual work. If any of them lose a laptop or get cracked, your information can get leaked all over the place.

But, whenever privacy regulations come up for debate they typically get shouted down as "nanny state politics," discouraging personal responsibility, being socialist or causing people to lose their jobs.

Re:Who else is using Epsilon? (0)

Anonymous Coward | more than 3 years ago | (#35693748)

Here's the press release:

http://www.epsilon.com/News%20&%20Events/Press_Releases_2011/Epsilon_Notifies_Clients_of_Unauthorized_Entry_into_Email_System/p1057-l3

Poking around on their site, I found this (partial) list of clients:

America’s Gardening Resource
Masune
Arhaus
Ballard Designs
Brookstone
Fabulous-Furs
Fender
Johnston & Murphy
KeyBank
Major Airline [presumably not KeyBank]
MD Anderson
Mrs. Beasley's
Mrs. Fields
Netezza
New York & Company
Staples
TIAA-CREF
Walter Drake

Re:Who else is using Epsilon? (1)

mallyn (136041) | more than 3 years ago | (#35693954)

Thank you.

Last I remembered, I paid cash for some brownies from Mrs. Fields and blank CD's from Staples.

I don't have a car, so I never dealt with Fender.

My apartment is too small for a garden, so I never dealt with America's Gardening.

I never use Key's cash machines. My credit union's are free.

Re:Who else is using Epsilon? (1)

Culture20 (968837) | more than 3 years ago | (#35693996)

Here's the press release:
http://www.epsilon.com/News%20&%20Events/Press_Releases_2011/Epsilon_Notifies_Clients_of_Unauthorized_Entry_into_Email_System/p1057-l3 [epsilon.com]
Poking around on their site, I found this (partial) list of clients:
Americaâ(TM)s Gardening Resource
...
KeyBank
...
Staples
TIAA-CREF
...

Keybank and TIAA-CREF? I bet they have more interesting information than Kroger.

Re:Who else is using Epsilon? (1)

Schemat1c (464768) | more than 3 years ago | (#35693750)

So Kroger's customer list is stolen from Epsilon! I wonder what other companies are using Epsilon to manage their customer list. So we need to identify who is managing the client list of Epsilon. If that site is known to be hackable .. hee... hee... :-)

I found an email this morning from Usbank telling me that they use Epsilon and that my email address was among the stolen files. I did a Google search and apparently Chase also uses the service.

This isn't good.

Fake Info (1)

twollamalove (935519) | more than 3 years ago | (#35693498)

Fortunately, my Kroger Plus card application was littered with fake information!

Re:Fake Info (0)

Anonymous Coward | more than 3 years ago | (#35693538)

well, if you ever use your kroger card along with a credit card, they will fix that for you.

Cheers!

Re:Fake Info (1)

morari (1080535) | more than 3 years ago | (#35693608)

Easy enough to avoid.

USBank sent me one as well (0)

Anonymous Coward | more than 3 years ago | (#35693526)

Same breach hit US Bank.

Sigh

Similar email from US Bank (0)

Anonymous Coward | more than 3 years ago | (#35693580)

I've got a similar email from US Bank regarding their customer emails and Epsilon:

As a valued U.S. Bank customer, we want to make you aware of a situation that has occurred related to your email address.

We have been informed by Epsilon Interactive, a vendor based in Dallas, Texas, that files containing your email address were accessed by unauthorized entry into their computer system. Epsilon helps us send you emails about products and services that may be of interest to you.

We want to assure you that U.S. Bank has never provided Epsilon with financial information about you. For your security, however, we wanted to call this matter to your attention. We ask that you remain alert to any unusual or suspicious emails.

Please remember that U.S. Bank will never request information such as your personal ID, password, social security number, PIN or account number via email. For your safety, never share this or similar information in response to an email request at any time. To learn more about recognizing online fraud issues, visit:
http://www.usbank.com/cgi_w/cfm/about/online_security/online_fraud.cfm

In addition, if you receive any suspicious looking emails, please tell us immediately.
Call U.S. Bank Customer Service at 800-US-BANKS (800-872-2657).

The security of your information is important to us, and we apologize for any inconvenience this may have caused you. As always, if you have any questions, or need any additional information, please do not hesitate to contact us.

Why does a grocery store need your email address? (0)

Anonymous Coward | more than 3 years ago | (#35693586)

Makes me wonder ...

Re:Why does a grocery store need your email addres (2)

MysteriousPreacher (702266) | more than 3 years ago | (#35693628)

So the Jewish conspiracy of reptile overlords in charge of Kroger can send out adverts that will in turn give them enough revenue to fund their NWO?

Actually (1)

zoomshorts (137587) | more than 3 years ago | (#35693822)

Yes, in a word. Radio Shack and Kroger have Albert DeSalvo at Fort Leavenworth KS is what I give them all.
It is surprising how many convicted felons are in their database !!!!

Re:Why does a grocery store need your email addres (1)

cob666 (656740) | more than 3 years ago | (#35693674)

If I were to take a stab in the dark answer to this question it would be for two purposes, the first would be to send you notices and perhaps coupons. The second would be for cross referencing with external data sources. I would guess that the vast majority of email users in the wild use the same email address for everything and having that data to cross reference your Kroger shopping profile with your Border's Books shopping profile could lead to some interesting data junctions. User is buying more fat free foods over the past 6 months and they have also started buying healthy cooking books. This could lead to some nicely targeted advertisements for weight loss or exercise programs.

I wouldn't be the least bit surprised to find that marketing companies are behind the break-ins.

Re:Why does a grocery store need your email addres (2)

The_Wilschon (782534) | more than 3 years ago | (#35693994)

So they can notify you when your email address gets stolen, of course! Didn't think that one through, didja? </sarcasm>

Fixed it for you .. (1)

LoudMusic (199347) | more than 3 years ago | (#35693620)

"... notified customers today of a breach of the database that stores its customers' fake names and fake email addresses."

There, fixed it for you.

Re:Fixed it for you .. (0)

Anonymous Coward | more than 3 years ago | (#35694326)

Not always fake, Banks use the service...

Do these companies not have security audits? (0)

Anonymous Coward | more than 3 years ago | (#35693678)

Since retailers handle credit card data, PCI-DSS compliance requires that their networks be locked down and audited. That's why you rarely see retailer corporate networks invaded anymore. Mass marketing companies do not have any security requirements that I am aware of. Hopefully right now some big companies are questioning the security practices of their outsourced marketing firms. These companies need to be required to undergo regular third party security audits, and the retailers using them need to put stiff penalties for failing the audit into their contracts.

I shop at a member owned co-op (0)

mallyn (136041) | more than 3 years ago | (#35693694)

Folks:

I do about 90 percent of my food shopping at a local member owned co-op.

They have my information because I am a member-owner (we all purchase shares and get a end-of-year dividend).

At the checkout, we give them our membership number. There is no price difference between members and non-members. The dividend we get is based on how much you spend.

This is a member owned co-op. The member owners elect a board of directors each year from our own ranks.

There is no outside ownership. Our member list is kept confidential within the co-op itself.

The only 'spam' I get is announcements of membership meetings and other major events at the co-op. By major, I don't mean every little group that uses our community room.

US Bank uses Epsilon, too (1)

Phoenix Dreamscape (205064) | more than 3 years ago | (#35693696)

I received a similar notification from US Bank today with regards to my linuxfund.org credit card. They called out Epsilon as the source of the leak, and claim no financial data was compromised.

---
As a valued U.S. Bank customer, we want to make you aware of a situation that has occurred related to your email address.

We have been informed by Epsilon Interactive, a vendor based in Dallas, Texas, that files containing your email address were accessed by unauthorized entry into their computer system. Epsilon helps us send you emails about products and services that may be of interest to you.

We want to assure you that U.S. Bank has never provided Epsilon with financial information about you. For your security, however, we wanted to call this matter to your attention. We ask that you remain alert to any unusual or suspicious emails.
---

Re:US Bank uses Epsilon, too (0)

Anonymous Coward | more than 3 years ago | (#35694248)

Yep, just got the same thing from US Bank.

Hackers? (1)

multisync (218450) | more than 3 years ago | (#35693714)

Kroger has no idea who accessed their email system, let alone whether or not they were hackers. Seems more likely spammers, or perhaps fraudsters, would be interested in gaining accesses to customer names and email addresses.

In fact the word hacker appears nowhere in the article or summary. What is your major malfunction, Timothy?

When did associates replace employees? (0)

Anonymous Coward | more than 3 years ago | (#35693732)

I realize Walmart has this practice of calling its employees "associates" instead of employees, but when did that enter common usage to describe anyone employed by a company?

This is essentially a business newspeak word designed to control thought. It implies a false increased valuation by simply using a nicer word for employees. Corporations can use it all they like, but that doesn't mean we have to adopt this usage in common language.

Kroger should be required to stop collecting info (1)

Animats (122034) | more than 3 years ago | (#35693950)

The punishment for the leak should be that Kroger has to abandon any attempts to collect or store information about their customers.

They're a grocery store. They don't need that info.

Re:Kroger should be required to stop collecting in (2)

Gaygirlie (1657131) | more than 3 years ago | (#35694276)

The punishment for the leak should be that Kroger has to abandon any attempts to collect or store information about their customers.

They're a grocery store. They don't need that info.

Why should they be forced to do that? It's not Kroger's fault in the first place, it's Epsilon who made the mistake.

Third party (3, Insightful)

Zedrick (764028) | more than 3 years ago | (#35694036)

"third-party vendor Kroger uses to manage its customer "... why the hell are they using a third-party anything to manage THEIR customer data?

Oh, oh, I know! Because they don't care about their customers data, and want the option to sue + put the blame on someone if something goes wrong.

Re:Third party (2)

Gaygirlie (1657131) | more than 3 years ago | (#35694296)

"third-party vendor Kroger uses to manage its customer "... why the hell are they using a third-party anything to manage THEIR customer data?

Oh, oh, I know! Because they don't care about their customers data, and want the option to sue + put the blame on someone if something goes wrong.

Ignorant comment.

Why do people outsource things to others when they can do it themselves? Like for example, why do people hire a company to fix their cars? Indeed: because the company has all the tools and expertise already, you'd have to first train yourself and then get all the necessary tools in order to do it. It's exactly the same with companies: if someone else can do the same job better, easier and cheaper than if you did it yourself then obviously it makes more sense to get the someone else to do it.

Re:Third party (2)

DerekLyons (302214) | more than 3 years ago | (#35694414)

Or maybe it's cheaper/more efficient to hire a third party so Kroger can concentrate on their actual business - selling groceries.

Really? (1)

PCRanger (1166501) | more than 3 years ago | (#35694056)

Who is 'the nation'? This is pretty sloppy journalism for a World-wide read news service...

Re:Really? (0)

Anonymous Coward | more than 3 years ago | (#35694234)

With bullshit like that there's a 99% chance it's the USA.

Good Luck (2)

Cylix (55374) | more than 3 years ago | (#35694236)

Spamming Brent Spiner, Johnny Bravo and Linus Torvalds!

There is no actual verification on those little forms. Though I did get a strange look for the Johnny Bravo one I submitted.

One of my friends even made one with the name Edgar Poe and he used this card specifically to purchase beer.

nancy drew's lost email (2)

anyaristow (1448609) | more than 3 years ago | (#35694484)

I didn't get the notification at my email address: nancydrew@example.com. Does that mean my data wasn't stolen?

What should one do when email is compromised? (1)

John Jorsett (171560) | more than 3 years ago | (#35694554)

I always set up a separate email account for every vendor I deal with. A surprising number of those email addresses end up getting into the hands of spammer/scammers. I always notify the companies that someone has compromised their email database, but only once have I received a response. It's no big deal for me to just divert all future email to that account to dev/null, but are there US federal laws that cover this, and is there any federal agency that should be notified so that these companies take security more seriously?

Screw Krogers anyway (1)

Osgeld (1900440) | more than 3 years ago | (#35694560)

My entire life experience with that place is a fucking headache

Cant find a parking spot cause some "designer" made the place all artsy and then sucked up 2/3s of it with a dumb ass gas station

Oh its 12 outside and dumping sleet, cant fucking walk on the sidewalk cause they fortified it with shit you will never ever buy, watch out for traffic

Jumping over the mountain of fortified crap, soaked in ice nearly ran over by cars you go in to the wonderful smell of garbage and nasty looking carts, picking one that is the least covered in green sticky shit (its called a hose, use it once in a while)

walk in to find out you cant go anywhere cause there is so much shit by the in the isles you have exactly 18 inches from a display and either another display or a fucking post and if one person stops your stuck

garbage bags in the middle of baking supplies, pet foot touching roach poison, shit meat selection, play their stupid card game, understaffed registers (and god help you if you ask for a pack of smokes) I would rather staple my tongue than step foot in one

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>