Kroger agrees to pay $5 million over Accellion data breach

A logo of Kroger is displayed on a monitor above the floor of the New York Stock Exchange shortly after the opening bell in New York. REUTERS/Lucas Jackson

(Reuters) - Supermarket chain Kroger Co has agreed to pay $5 million to resolve claims related to the recent data breach of Accellion Inc's file transfer service, according to court filings.

The deal would end claims against Kroger on behalf of about 3.82 million pharmacy customers and current and former employees whose personal information was compromised in the software vendor breach, according to a preliminary approval motion for the proposed class action settlement filed Wednesday in California federal court.

The lawsuit, one of several filed in the last few months against Kroger, Accellion or other Accellion customers, also names Accellion as a defendant. The proposed deal "resolves claims against Kroger only" and would also release claims in multiple Ohio actions and an Indiana action against the supermarket chain, the filing said.

Register now for FREE unlimited access to

Tina Wolfson of Ahdoot & Wolfson, an attorney representing the plaintiffs, didn't immediately respond to a request for comment. Nor did Amy Lally of Sidley Austin, which represents Kroger. Michael Rubin and Melanie Blunschi of Latham & Watkins, representing Accellion, also did not immediately respond to requests for comment.

Accellion disclosed to clients that hackers exploited vulnerabilities in its legacy file transfer product in December 2020 and January 2021. The incident affected a number of companies, universities and others, including the law firm Jones Day. Kroger publicly revealed on Feb. 19 that the personal data of some of its pharmacy customers and employees was compromised, according to the filing.

The plaintiffs in the proposed class action claim that Kroger and Accellion lacked sufficient data security practices to protect personal information, among other failings, and that Kroger botched an obligation to protect their sensitive information from being disclosed.

In addition to the $5 million settlement fund, Kroger has agreed to change its business practices under the proposed deal. That would include confirming that it has moved over to a "new secure file transfer solution," secure or destroy the personal information subject to the breach and boost its third-party vendor risk management program, according to the filing.

The Judicial Panel on Multidistrict Litigation rejected a bid to centralize cases against Accellion, Kroger, Flagstar Bancorp and others last month.

For the plaintiffs: Tina Wolfson of Ahdoot & Wolfson

For Kroger: Amy Lally of Sidley Austin

For Accellion: Michael Rubin of Latham & Watkins

Read More:

JPML rejects bid to centralize cases over Accellion breach

Jones Day is latest major law firm affected by vendor data breach

Lawsuits mount for vendor linked to Jones Day, Goodwin Procter data breaches

Register now for FREE unlimited access to

Our Standards: The Thomson Reuters Trust Principles.

Thomson Reuters

Sara Merken reports on privacy and data security, as well as the business of law, including legal innovation and key players in the legal services industry. Reach her at