QFC Parent Kroger Affected in Massive Email Breach

Over the weekend, I got an email from national grocery retailer Kroger that warned my name and email address had been compromised by a breach, and that I should be alert for any phishing scams that might result. Then I got another email alert. And another.

It’s part of what’s being called a “massive breach” of third-party online marketing firm Epsilon’s email database, one that includes email addresses from TiVo, US Bank, JPMorgan Chase, Capital One, Citi ,Home Shopping Network (HSN), Ameriprise Financial, LL Bean Visa Card, McKinsey & Company, Ritz-Carlton Rewards, Marriott Rewards, New York & Company, Brookstone, Walgreens, The College Board, Disney Destinations, Best Buy, and Robert Half Technologies.

For its part Kroger owns such grocery brands as City Market, Dillons, Jay C, Food 4 Less, Fred Meyer, Fry’s, King Soopers, QFC, Ralphs, and Smith’s.

Epsilon told the New York Times that just two percent of its 2,500-strong client base was affected, but that’s a little disingenuous given the size of the clients involved. What it has not disclosed is the actual number of email addresses stolen. Epsilon sends out some 40 billion emails a year, to give you an idea of the scope of their marketing.

SecurityWeek explains the value of the name and email address combination to the thieves:

Some may dismiss the type of data harvested as a minor threat, but having access to customer lists opens the opportunity for targeted phishing attacks to customers who expect communications from these brands. Being able to send a targeted phishing message to a bank customer and personally address them by name will certainly result in a much higher “hit rate” than a typical “blind” spamming campaign would yield.