Hackers used a website run by a unit of Atlanta-based Equifax to steal sensitive personal information from W-2 forms on possibly hundreds of thousands of Kroger employees, according to a lawsuit.
The lawsuit said Kroger told employees that it believed identity thieves had already used information obtained from Equifax, one of the nation’s largest credit reporting firms, to file fraudulent tax returns on some of the supermarket’s employees.
Equifax said it does not comment on pending litigation.
The lawsuit, filed May 24 in U.S. District Court by Betzalel Yochanan, a Kroger employee in Altanta, said the data breach may also affect employees at other companies that use W-2 Express, run by Equifax Workforce Solutions.
The lawsuit seeks class action status for more than 431,000 of the supermarket’s employees and an undetermined number of former employees.
Kroger spokesman Keith Dailey said it learned of the breach April 27 and is working with Equifax, the IRS and FBI to investigate the breach.
“We have no indication that Kroger’s systems have been compromised, and Equifax has indicated to us that their systems were not compromised,” said Dailey.
However, the lawsuit says hackers only had to crack a fairly simple initial password — a combination of workers’ birth year and the last four digits of their Social Security numbers — to gain access to W-2 forms.
The initial password information “we believe were obtained from some other source, such as a prior data breach at other institutions,” Kroger said in an email to employees obtained by Databreaches.net, a blog on information security.
Dailey said Kroger has notified 13,000 current and former employees of potentially suspicious activity involving their W-2 information, but believes the number of affected people is smaller. The company has offered those people free monitoring for potential identity theft.
W-2 forms are the annual statements employees are required to send to workers and the IRS reporting their income taxes withheld, as well as a wealth of other sensitive information such as Social Security numbers and annual wages.
Kroger employees “anticipate spending considerable time and money for the rest of their lives” to combat identity thieves who could fraudulently obtain credit cards, mortgages or other accounts using their I.D.s, the lawsuit states.
The civil lawsuit accuses Equifax of failing to keep its promises to protect the Kroger employees’ information. It says Equifax violated federal and Georgia laws that require companies to take reasonable measures to protect sensitive personal information and to quickly investigate and notify affected people if a data breach has occurred.
According to the lawsuit, Kroger warned employees in early May that hackers had broken into Equifax’s website.
The lawsuit seeks unspecified damages and the company’s help in monitoring Kroger employees’ credit histories for signs of fraud by identity thieves.
