On Wednesday in the Northern District of California, two individuals filed a proposed class-action complaint against the Kroger Co. and Accellion Inc., over a breach of a Kroger pharmacy that allegedly compromised the data of Kroger pharmacy customers.
Lead plaintiffs Ricky Cochran and Alain Berrebi alleged that “sensitive personal information,” such as names, email addresses, phone numbers, home addresses, dates of birth, Social Security numbers, bank account information, and prescription information, among other data, of Kroger Health and Money Services customers were disclosed to third parties after the file transfer platform of Accellion, which had been providing third-party file transfer services to Kroger, was compromised. Kroger confirmed the breach Feb. 19.
Accellion came under fire recently because of a separate data breach in December 2020 that disclosed client information to hackers. The data breach at issue in the Wednesday complaint allegedly revealed a vulnerability in Accellion’s file transfer appliance (FTA) that also had been exposed in the December 2020 breach.
“Accellion’s FTA is a 20-year-old, obsolete, ‘legacy product’ that was ‘nearing end-of-life’ at the time of the Data Breach, thus leaving it vulnerable to compromise and security incidents,” the complaint claimed.
The plaintiffs argued that the defendants knew of the purported “data security shortcomings” of Accellion’s FTA product, and, in continuing to use the system, they were negligent and put customer and employee data at risk.
“Defendants’ failures to ensure that the file transfer services and products used by Kroger were adequately secure fell far short of their obligations and Plaintiffs’ and Class Members’ reasonable expectations for data privacy, jeopardized the security of Plaintiffs’ and Class Members’ Personal Information, and put Plaintiffs and Class Members at serious risk of fraud and identity theft,” the complaint alleged.
The formal causes of action against the defendants include negligence and negligence per se, breach of implied contract (against Kroger only), and invasion of privacy, among other statutory violations.
The plaintiffs are seeking actual and statutory damages, pre- and post-judgment interest, attorneys’ fees, and other relief deemed proper.