Kroger notifies employees of W-2 breach involving Equifax service
It’s not just Stanford University employees who are reporting problems involving their W-2 data being accessed improperly from W2-Express, a service of Equifax. Kroger is also notifying employees. The Inquisitr reports:
Grocery giant Kroger sent an email to current and former employees today indicating that their Social Security numbers and dates of birth may be compromised.
The extent of the breach is not yet known, according to the email. It is believed the employee information was accessed via a security breach at Equifax.
“As you may know, Equifax, which provides online access to electronic W-2 forms for Kroger and other groups, was a target of a security incident,” the email states. “While the investigation is ongoing, it appears that unknown individuals accessed the W-2 Express website using default login information based on Social Security numbers (SSN) and dates of birth, which we believe were obtained from some other source, such as a prior data breach at other institutions. We have no indication that Kroger’s systems have been compromised.”
Read more on The Inquisitr. Note that there is no indication that this is a phishing incident or that W2-Express’s system was hacked. This appears to be another one of those cases where criminals obtained SSN and DOB elsewhere and then used it to access W-2 Express to get W-2 data.
It is not clear why W-2 Express uses such all-too-available-by-now information as login credentials (a similar situation existed with another vendor, Greenshades). And it’s not known where or how the criminals would have or could have obtained the SSN and DOB.
Equifax did not respond to an email inquiry from DataBreaches.net on April 29 inquiring whether they’d had any breach.
In the interim, as Kroger continues investigating and trying to determine how many of its 400,000 employees have been impacted, they have imposed a login password reset for access to W2-Express. In their notification to employees, they explain:
As a precautionary measure, we worked with Equifax to reset the default PINs needed to access the W-2Express site. Your new default PIN is the last four numbers of your Kroger EUID and your 4-digit birth year. To further safeguard your personal information, please visit www.w2express.com as soon as possible to change and create your own PIN.