`
`Case 5:21-cv-01887-SVK Document 1 Filed 03/17/21 Page 1 of 33
`
`
`
`BEN BARNOW*
`b.barnow@barnowlaw.com
`ERICH P. SCHORK*
`e.schork@barnowlaw.com
`ANTHONY L. PARKHILL*
`aparkhill@barnowlaw.com
`BARNOW AND ASSOCIATES, P.C.
`205 West Randolph Street, Suite 1630
`Chicago, IL 60606
`Telephone: 312.621.2000
`
`
`
` *
`
` pro hac vice to be submitted
`
`
`Case No.
`
`CLASS ACTION COMPLAINT
`
`
`
`JURY TRIAL DEMANDED
`
`TINA WOLFSON (SBN 174806)
`twolfson@ahdootwolfson.com
`ROBERT AHDOOT (SBN 172098)
`rahdoot@ahdootwolfson.com
`THEODORE MAYA (SBN 223242)
`tmaya@ahdootwolfson.com
`AHDOOT & WOLFSON, PC
`2600 W. Olive Avenue, Suite 500
`Burbank, CA 91505-4521
`Telephone: 310.474.9111
`Facsimile: 310.474.8585
`
`ANDREW W. FERICH*
`aferich@ahdootwolfson.com
`AHDOOT & WOLFSON, PC
`201 King of Prussia Road, Suite 650
`Radnor, PA 19087
`Telephone: 310.474.9111
`Facsimile: 310.474.8585
`
`
`Attorneys for Plaintiffs and the Proposed
`Classes
`
`
`
`RICKY COCHRAN and ALAIN BERREBI,
`individually and on behalf of all others similarly
`situated,
`
`
`Plaintiffs,
`
`IN THE UNITED STATES DISTRICT COURT
`FOR THE NORTHERN DISTRICT OF CALIFORNIA
`
`
`v.
`
`
`THE KROGER CO. and ACCELLION, INC.,
`
` Defendants.
`
`
`
`Plaintiffs Ricky Cochran and Alain Berrebi (“Plaintiffs”), individually and on behalf of all others
`
`similarly situated, upon personal knowledge of facts pertaining to himself and on information and belief
`as to all other matters, by and through undersigned counsel, brings this Class Action Complaint against
`Defendants Accellion, Inc. (“Accellion”) and The Kroger Co. (“Kroger”) (together, “Defendants”).
`
`
`- 1 -
`CLASS ACTION COMPLAINT
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`
`
`
`
`
`
`
`Case 5:21-cv-01887-SVK Document 1 Filed 03/17/21 Page 2 of 33
`
`
`
`NATURE OF THE ACTION
`1.
`Plaintiffs bring this class action on behalf of themselves and all other individuals (“Class
`Members”) who had their sensitive personal information—including but not limited to names, email
`addresses, phone numbers, home addresses, dates of birth, Social Security numbers (SSN), bank account
`and routing information, information used to process health insurance claims, and prescription
`information1 (collectively, “Personal Information”)—disclosed to unauthorized third parties during a
`data breach compromising Accellion’s legacy File Transfer Appliance software (the “Data Breach”).
`2.
`Accellion made headlines in late 2020/early 2021 (and continues to receive a raft of
`negative publicity) following its December 23, 2020 disclosure to numerous clients that criminals
`breached Accellion’s client-submitted data via a vulnerability in its represented “secure” file transfer
`application.2
`3.
`Accellion is a software company that provides third-party file transfer services to clients.
`Accellion makes and sells a file transfer service product called the File Transfer Appliance (“FTA”).
`Accellion’s FTA is a 20-year-old, obsolete, “legacy product” that was “nearing end-of-life”3 at the time
`of the Data Breach, thus leaving it vulnerable to compromise and security incidents.
`4.
`During the Data Breach, unauthorized persons gained access to Accellion’s clients’ files
`by exploiting a vulnerability in Accellion’s FTA platform.
`5.
`On February 19, 2021, Kroger publicly confirmed that the Personal Information of
`Kroger pharmacy customers, along with “certain associates’ HR data . . . and certain money services
`records,” was compromised in the well-publicized Data Breach of its file transfer software vendor,
`Accellion.
`
`
`1 Rich Barak, NEW: Kroger data breach investigation continues, ATLANTA. NEWS. NOW. (Feb. 21,
`2021), https://www.ajc.com/news/breaking-kroger-advises-customers-of-data-breach-affecting-
`pharmacy/R44FKCSVLNDTJHA53ON36HO2CA/ (last visited Mar. 11, 2021).
`2 Lucas Ropek, The Accellion Data Breach Seems to Be Getting Bigger, GIZMODO (Feb. 11, 2021,
`8:47 P.M.), https://gizmodo.com/the-accellion-data-breach-seems-to-be-getting-bigger-1846250357
`(last visited Mar. 11, 2021).
`3 ACCELION, Accellion Responds to Recent FTA Security Incident (Feb. 1, 2021),
`https://www.accellion.com/company/press-releases/accellion-provides-update-to-recent-fta-security-
`incident/ (last visited Mar. 11, 2021).
`
`- 2 -
`CLASS ACTION COMPLAINT
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`
`
`
`
`
`
`
`Case 5:21-cv-01887-SVK Document 1 Filed 03/17/21 Page 3 of 33
`
`
`
`6.
`In a press release, Kroger identified that, inter alia, customers of Kroger Health and
`Money Services were impacted.4 Little information is available about the disclosure of Kroger employee
`and money service customer records, but reports indicate more specifically that pharmacy customers of
`The Little Clinic, Kroger Pharmacies, and Kroger’s family of pharmacies operated by Ralphs Grocery
`Company and Fred Meyer Stores Inc. are all potentially impacted by the Data Breach. Other affiliated
`pharmacies possibly impacted by the Data Breach include Jay C Food Stores, Dillon Companies, LLC,
`Baker’s, City Market, Gerbes, King Soopers, Quality Food Centers, Roundy’s Supermarkets, Inc.,
`Copps Food Center Pharmacy, Mariano’s Metro Market, Pick ‘n Save, Harris Teeter, LLC, Smith’s
`Food and Drug, Fry’s Food Stores, Healthy Options, Inc., Postal Prescription Services, and Kroger
`Specialty Pharmacy.5
`7.
`On January 23, 2021, Accellion informed Kroger that Kroger’s files and information
`were impacted by the Data Breach. Specifically, Accellion notified Kroger that an unauthorized person
`gained access to certain Kroger files by exploiting a vulnerability in Accellion’s FTA platform.
`8.
`At the time of the Data Breach, Kroger, along with reportedly thousands of others, was a
`client of Accellion. Accellion’s services to Kroger, and the other customers, included the use of
`Accellion’s outdated and vulnerable FTA platform for large file transfers. The Personal Information of
`Kroger’s pharmacy customers, employees, and money service customers, among others, was accessed
`by and disclosed to criminals without authorization because who were able to exploit vulnerabilities in
`Accellion’s FTA product.
`9.
`Defendants were well aware of the data security shortcomings in Accellion’s FTA
`product. Nevertheless, Defendants continued to use FTA, putting Kroger’s customers and employees at
`risk of being impacted by a breach.
`
`
`4 The Kroger Co., Accellion Security Incident Impacts Kroger Family of Companies Associates and
`Limited Number of Customers, CISION PR NEWSWIRE (Feb. 19, 2021, 4:05 P.M.),
`https://www.prnewswire.com/news-releases/accellion-security-incident-impacts-kroger-family-of-
`companies-associates-and-limited-number-of-customers-301231891.html (last visited Mar. 9, 2021).
`5 Chris Mayhew, Kroger advises customers of a data breach affecting pharmacy and Little Clinic,
`CINCINATI.COM | THE ENQUIRER (Feb. 19, 2021, 8:34 P.M.),
`https://www.cincinnati.com/story/news/2021/02/19/kroger-warns-customers-medical-prescriptions-
`data-breach/4514664001/ (last visited Mar. 11, 2021).
`
`- 3 -
`CLASS ACTION COMPLAINT
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`
`
`
`
`
`
`
`Case 5:21-cv-01887-SVK Document 1 Filed 03/17/21 Page 4 of 33
`
`
`
`10.
`Defendants’ failures to ensure that the file transfer services and products used by Kroger
`were adequately secure fell far short of their obligations and Plaintiffs’ and Class Members’ reasonable
`expectations for data privacy, jeopardized the security of Plaintiffs’ and Class Members’ Personal
`Information, and put Plaintiffs and Class Members at serious risk of fraud and identity theft.
`11.
`As a result of Defendants’ conduct and the resulting Data Breach, Plaintiffs and Class
`Members’ privacy has been invaded, their Personal Information is now in the hands of criminals, and
`they face a substantially increased risk of identity theft and fraud. Accordingly, these individuals now
`must take immediate and time-consuming action to protect themselves from such identity theft and
`fraud.
`
`PARTIES
`12.
`Plaintiff Ricky Cochran is a citizen of the state of Georgia and resides in Covington,
`Georgia. Believing Kroger would implement and maintain reasonable security and practices to protect
`his Personal Information, Mr. Cochran routinely provided his Personal Information to a Kroger
`pharmacy location on Salem Road in Covington, Georgia, in connection with having prescriptions filled.
`On or about February 19, 2021, Kroger sent Plaintiff Cochran, and Plaintiff Cochran received, a letter
`confirming that his personal information was impacted by the Data Breach. In the letter, Kroger
`identified that the nature of the information involved includes “names, email addresses, phone numbers,
`home addresses, dates of birth, Social Security numbers, information to process insurance claims,
`prescription information such as prescription number, prescribing doctor, medication names and dates,
`medical history, as well as certain clinical services . . . .”
`13.
`Plaintiff Alain Berrebi is a citizen of the state of California and resides in Los Angeles,
`California. Believing Kroger would implement and maintain reasonable security and practices to protect
`his Personal Information, Mr. Berrebi routinely provided his Personal Information to a Ralphs pharmacy
`location on West 9th Street in downtown Los Angeles, California, in connection with having
`prescriptions filled. On or about March 11, 2021, Kroger sent Plaintiff Berrebi, and Plaintiff Berrebi
`received, a letter confirming that his personal information was impacted by the Data Breach. In the letter,
`Kroger identified that the nature of the information involved includes “names, email addresses, phone
`numbers, home addresses, dates of birth, Social Security numbers, information to process insurance
`
`- 4 -
`CLASS ACTION COMPLAINT
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`
`
`
`
`
`
`
`Case 5:21-cv-01887-SVK Document 1 Filed 03/17/21 Page 5 of 33
`
`
`
`claims, prescription information such as prescription number, prescribing doctor, medication names and
`dates, medical history, as well as certain clinical services . . . .”
`14.
`Defendant Accellion Inc. is a Delaware corporation with corporate headquarters located
`at 1804 Embarcadero Road, Suite 200, Palo Alto, California 94303.
`15.
`Defendant The Kroger Co. is an Ohio corporation with its corporate headquarters located
`at 1014 Vine Street, Cincinnati, Ohio 45202.
`
`JURISDICTION AND VENUE
`16.
`This Court has subject matter jurisdiction over this action pursuant to the Class Action
`Fairness Act of 2005, 28 U.S.C. § 1332(a) and (d), because the matter in controversy, exclusive of
`interest and costs, exceeds the sum or value of five million dollars ($5,000,000.00) and is a class action
`in which one or more Class Members are citizens of states different from Defendants.
`17.
`The Court has personal jurisdiction over Defendants because Accellion has a principal
`office in California, Defendants conduct significant business in California, and Defendants otherwise
`have sufficient minimum contacts with and intentionally avail themselves of the markets in California.
`18.
`Venue properly lies in this judicial district because, inter alia, Accellion has a principal
`place of business in this district; Defendants transact substantial business, have agents, and are otherwise
`located in this district; and a substantial part of the conduct giving rise to Plaintiffs’ claims occurred in
`this judicial district.
`
`FACTUAL ALLEGATIONS
`Accellion and its Unsecure File Transfer Platform, FTA
`A.
`19.
`Accellion is a Palo Alto-based software company that makes, markets, and sells file
`transfer platforms and services.
`20.
`Accellion touts its products and services as “prevent[ing] data breaches”6 and as being
`secure. On its website, Accellion states:
`
`
`6 ACCELLION, About Accellion, https://www.accellion.com/company/ (last visited Mar. 9, 2021).
`
`- 5 -
`CLASS ACTION COMPLAINT
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`
`
`
`
`
`
`
`Case 5:21-cv-01887-SVK Document 1 Filed 03/17/21 Page 6 of 33
`
`
`
`The Accellion enterprise content firewall prevents data breaches and compliance violations
`from third party cyber risk. CIOs and CISOs rely on the Accellion platform for complete
`visibility, security and control over . . . sensitive content across email, file sharing, mobile,
`enterprise apps, web portals, SFTP, and automated inter-business workflows.7
`
`21.
` Accellion also touts its commitment to data privacy, claiming that “[d]ata privacy is a
`fundamental aspect of the business of Accellion . . . .”8
`22.
`Accellion markets its products and services as capable of safely transferring sensitive
`Personal Information through file sharing, claiming that “[w]hen employees click the Accellion button,
`they know it’s the safe, secure way to share sensitive information. . . .”9
`23.
`Despite these assurances and claims, Accellion failed to offer safe and secure file transfer
`products and services and failed to adequately protect Plaintiffs’ and Class Members’ Personal
`Information entrusted to it by Accellion’s clients, including Kroger.
`24.
`Accellion’s FTA product, which Kroger and certain of its other clients used, was not
`secure and, by Accellion’s own acknowledgment, outdated.
`25.
`The FTA—or File Transfer Appliance—is Accellion’s twenty-year-old “legacy” file
`transfer software, which purportedly is designed and sold for large file transfers.10
`26.
`Accellion’s FTA is an obsolete “legacy product” that was “nearing end-of-life,”11 thus
`leaving it vulnerable to compromise and security incidents. Accellion acknowledged that the FTA
`program is insufficient to keep file transfer processes secure “in today’s breach-filled, over-regulated
`
`
`
`7 Id. (emphasis added).
`8 ACCELLION, Accellion Privacy Policy, https://www.accellion.com/privacy-policy/ (last visited Mar.
`11, 2021).
`9 ACCELLION, About Accellion, https://www.accellion.com/company/ (last visited Mar. 11, 2021)
`(emphasis added).
`10 ACCELLION, Accellion Responds to Recent FTA Security Incident (Jan. 12, 2021),
`https://www.accellion.com/company/press-releases/accellion-responds-to-recent-fta-security-incident/
`(last visited Mar. 11, 2021).
`11 ACCELLION, Press Release, Accellion Provides Update to Recent FTA Security Incident (Feb. 1,
`2021), https://www.accellion.com/company/press-releases/accellion-provides-update-to-recent-fta-
`security-incident/ (last visited Mar. 11, 2021).
`
`- 6 -
`CLASS ACTION COMPLAINT
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`
`
`
`
`
`
`
`Case 5:21-cv-01887-SVK Document 1 Filed 03/17/21 Page 7 of 33
`
`
`
`world” where “you need even broad protection and control.”12 On the page dedicated to Accellion FTA,
`Accellion’s website states: “End-of-Life Announced for FTA. No Renewals After April 30, 2021.”13
`27.
`Key people within Accellion have acknowledged the need to leave the FTA platform
`behind due to the security concerns raised by it. Accellion’s Chief Marketing Officer Joel York
`confirmed that Accellion is encouraging its clients to discontinue use of FTA because it does not protect
`against modern data breaches: “It just wasn’t designed for these types of threats . . . .”14
`28.
`Accellion’s Chief Information Security Officer Frank Balonis stated: “Future exploits of
`[FTA] . . . are a constant threat. We have encouraged all FTA customers to migrate to kiteworks for the
`last three years and have accelerated our FTA end-of-life plans in light of these attacks. We remain
`committed to assisting our FTA customers, but strongly urge them to migrate to kiteworks as soon as
`possible.”15
`29.
`Despite knowing that FTA left Accellion’s customers (like Kroger) and third parties
`interacting and transacting with its customers (like Plaintiffs and Class Members) exposed to security
`threats, Accellion continued to offer and Kroger continued to utilize the FTA file transfer product at the
`time of the Data Breach.
`C.
`The Data Breach
`30.
`On December 23, 2020, the inevitable happened: Accellion confirmed to numerous
`clients that it experienced a massive security breach whereby criminals were able to gain access to
`sensitive client data via a vulnerability in its FTA platform.16
`
`
`12 ACCELLION, Accellion FTA, https://www.accellion.com/products/fta/ (last visited Mar. 11, 2021).
`13 Id.
`14 Jim Brunner & Paul Roberts, Banking, Social Security info of more than 1.4 million people exposed
`in hack involving Washington State Auditor, SEATTLE TIMES (Feb. 3, 2021, 4:57 P.M.),
`https://www.seattletimes.com/seattle-news/politics/personal-data-of-1-6-million-washington-
`unemployment-claimants-exposed-in-hack-of-state-auditor/ (last visited Mar. 9, 2021).
`15 ACCELLION, Press Release, Accellion Provides Update to Recent FTA Security Incident (Feb. 1,
`2021), https://www.accellion.com/company/press-releases/accellion-provides-update-to-recent-fta-
`security-incident/ (last visited Mar. 11, 2021).
`16 Lucas Ropek, The Accellion Data Breach Seems to Be Getting Bigger, GIZMODO (Feb. 11, 2021,
`8:47 P.M.), https://gizmodo.com/the-accellion-data-breach-seems-to-be-getting-bigger-1846250357
`(last visited Mar. 11, 2021).
`
`- 7 -
`CLASS ACTION COMPLAINT
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`
`
`
`
`
`
`
`Case 5:21-cv-01887-SVK Document 1 Filed 03/17/21 Page 8 of 33
`
`
`
`31.
`According to reports, the criminals exploited as many as four vulnerabilities in
`Accellion’s FTA to steal sensitive data files associated with up to 300 of Accellion’s clients, including
`corporations, law firms, banks, universities, and other entities.
`32. With respect to how Accellion’s FTA was compromised, one report indicates:
`
`The adversary exploited [the FTA’s] vulnerabilities to install a hitherto unseen Web shell
`named DEWMODE on the Accellion FTA app and used it to exfiltrate data from victim
`networks. Mandiant’s telemetry shows that DEWMODE is designed to extract a list of
`available files and associated metadata from a MySQL database on Accellion’s FTA and
`then download files from that list via the Web shell. Once the downloads complete, the
`attackers then execute a clean-up routine to erase traces of their activity.17
`
`
`
`33.
`The criminals, reportedly associated with the well-known Clop ransomware gang, the
`FIN11 threat group, and potentially other threat actors, launched the attacks in mid-December 2020. The
`attacks continued from at least mid-December 2020 and into January 2021, as these actors continued to
`exploit vulnerabilities in the FTA platform. Following the attacks, the criminals resorted to extortion,
`threatening Accellion’s clients, e.g., by email, with making the stolen information publicly available
`unless ransoms were paid.18 In at least a few instances, the criminals carried these treats and published
`private and confidential information online. See id.
`34.
`An example of a message sent by the criminals to a client of Accellion that was
`victimized during the breach is below19:
`
`
`
`
`
`
`17 Jai Vljayan, DARKReading, Accellion Data Breach Resulted in Extortion Attempts Against Multiple
`Victims (Feb. 22, 2021, 4:50 P.M.), https://www.darkreading.com/attacks-breaches/accellion-data-
`breach-resulted-in-extortion-attempts-against-multiple-victims/d/d-id/1340226 (last visited Mar. 11,
`2021).
`18 Ionut Ilascu, Global Accellion data breaches linked to Clop ransomware gang, BLEEPINGCOMPUTER
`(Feb. 22, 2021, 9:06 A.M.), https://www.bleepingcomputer.com/news/security/global-accellion-data-
`breaches-linked-to-clop-ransomware-gang/ (last visited Mar. 11, 2021).
`19 Id.
`
`- 8 -
`CLASS ACTION COMPLAINT
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`
`
`
`
`
`Case 5:21-cv-01887-SVK Document 1 Filed 03/17/21 Page 9 of 33
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`35.
`Accellion has remained in the headlines through early 2021 (and continues to receive a
`raft of negative publicity) following its mid-December 2020 disclosure of the massive Data Breach. The
`list of groups and clients who used Accellion’s unsecure FTA product and were impacted by the Data
`Breach continues to increase.
`36.
`The list, to date, reportedly includes:
`• Allens
`• American Bureau of Shipping (“ABS”)
`• The Australia Securities and Investments Commission
`• Bombardier
`• CSX
`• Danaher
`• Flagstar Bank
`• Fugro
`• Goodwin Proctor
`• Harvard Business School
`• Jones Day
`• The Kroger Co.
`• The Office of the Washington State Auditor
`• QIMR Berghofer Medical Research Institute
`• Qualys
`
`- 9 -
`CLASS ACTION COMPLAINT
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`
`
`
`
`
`
`
`Case 5:21-cv-01887-SVK Document 1 Filed 03/17/21 Page 10 of 33
`
`
`
`• The Reserve Bank of New Zealand
`• Singtel
`• Southern Illinois University School of Medicine
`• Steris
`• Transport for New South Wales
`• Trillium Community Health Plan
`• The University of Colorado
`
`Kroger Announces It Was Impacted by the Accellion Data Breach
`C.
`37.
`Touting itself as “one of the world’s largest retailers,” Kroger operates approximately
`2,750 grocery retail stores under a variety of Banner names, including Ralphs. Kroger also operates
`2,256 pharmacies located in these stores.
`38.
`On February 19, 2021, Kroger publicly confirmed that the Personal Information of
`Kroger pharmacy customers, along with “certain associates’ HR data . . . and certain money services
`records,” was compromised in the Data Breach. Kroger specifically identified that customers of Kroger
`Health and Money Services were impacted.20
`39.
`On its website, Kroger provides the following, in pertinent part21:
`
`Information About the Accellion Incident
`Kroger has confirmed that it was impacted by the data security incident affecting
`Accellion, Inc. Accellion’s services were used by Kroger, as well as many other
`companies, for third-party secure file transfers. Accellion notified Kroger that an
`unauthorized person gained access to certain Kroger files by exploiting a vulnerability in
`Accellion’s file transfer service.
`
`Here are the facts as we understand them: The incident was isolated to Accellion’s
`services and did not affect Kroger’s IT systems or any grocery store systems or data. No
`
`
`20 The Kroger Co., Accellion Security Incident Impacts Kroger Family of Companies Associates and
`Limited Number of Customers, CISON PR NEWSWIRE (Feb. 19, 2021, 4:05 P.M.)
`https://www.prnewswire.com/news-releases/accellion-security-incident-impacts-kroger-family-of-
`companies-associates-and-limited-number-of-customers-301231891.html (last visited Mar. 11, 2021).
`21 KROGER, Accellion Incident, https://www.kroger.com/i/accellion-incident (last visited Mar. 11,
`2021).
`
`- 10 -
`CLASS ACTION COMPLAINT
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`
`
`
`
`
`
`
`Case 5:21-cv-01887-SVK Document 1 Filed 03/17/21 Page 11 of 33
`
`
`
`credit or debit card (including digital wallet) information or customer account passwords
`were affected by this incident. After being informed of the incident’s effect on January
`23, 2021, Kroger discontinued the use of Accellion’s services, reported the incident to
`federal law enforcement, and initiated its own forensic investigation to review the
`potential scope and impact of the incident.
`
`*
`
`*
`What information may have been involved?
`
`At this time, based on the information provided by Accellion and our own investigation,
`Kroger believes the categories of affected data may include certain associates’ HR data,
`certain pharmacy records, and certain money services records.
`
`*
`
`40. While little information is currently available about the disclosure of Kroger’s employee
`and money service customer records, reports indicate that the breach was extensive insofar as its impact
`on Kroger’s pharmacy customers, including customers of The Little Clinic, Kroger Pharmacies, and
`Kroger’s family of pharmacies operated by Ralphs Grocery Company and Fred Meyer Stores Inc., all
`of which are potentially impacted by the Data Breach. Other affiliated pharmacies possibly impacted by
`the Data Breach include Jay C Food Stores, Dillon Companies, LLC, Baker’s, City Market, Gerbes,
`King Soopers, Quality Food Centers, Roundy’s Supermarkets, Inc., Copps Food Center Pharmacy,
`Mariano’s Metro Market, Pick N Save, Harris Teeter, LLC, Smith’s Food and Drug, Fry’s Food Stores,
`Healthy Options, Inc., Postal Prescription Services, and Kroger Specialty Pharmacy.22
`41.
`Kroger’s submissions to California’s Attorney General indicate that the following
`information of pharmacy customers was compromised in the Data Breach: “certain names, email
`addresses, phone numbers, home addresses, dates of birth, Social Security numbers, information to
`process insurance claims, prescription information such as prescription number, prescribing doctor,
`medication names and dates, medical history, as well as certain clinical services, such as whether [the
`customer] ordered an influenza test.”23
`
`
`22 Chris Mayhew, Kroger advises customers of a data breach affecting pharmacy and Little Clinic,
`CINCINATI.COM | THE ENQUIRER (Feb. 19, 2021, 5:38 P.M.),
`https://www.cincinnati.com/story/news/2021/02/19/kroger-warns-customers-medical-prescriptions-
`data-breach/4514664001/ (last visited Mar. 11, 2021).
`23 California Attorney General, Notices of Data Breach at 7 (Feb. 19, 2021),
`https://oag.ca.gov/system/files/All%20Notices.pdf (last visited Mar. 11, 2021).
`
`- 11 -
`CLASS ACTION COMPLAINT
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`
`
`
`
`
`
`
`Case 5:21-cv-01887-SVK Document 1 Filed 03/17/21 Page 12 of 33
`
`
`
`42.
`According to Kroger, on January 23, 202, Accellion notified Kroger that an unauthorized
`person(s) gained access to Kroger’s files containing Plaintiffs’ and Class Members’ Personal
`Information by exploiting a vulnerability in Accellion’s FTA.
`43.
`The incident reportedly did not affect Kroger’s IT systems and is isolated to Accellion’s
`services. Kroger claims that it has discontinued the use of Accellion’s services, reported the incident to
`federal law enforcement, and initiated its own forensic investigation to review the potential scope and
`impact of the incident.24
`44.
`Kroger’s public statement also states that it is working to notify and will offer free credit
`monitoring to potentially impacted customers.25
`D.
`Impact of the Data Breach
`45.
`The actual extent and scope of the impact of the Data Breach on Kroger’s pharmacy and
`money service customers remains uncertain.
`46.
`Kroger has confirmed that it has stopped using Accellion’s services, but unfortunately
`for Plaintiffs and Class Members, the damage is already done.
`47.
`Kroger has known that the FTA software is unsecured and should no longer be used in
`connection with data transfers. Indeed, “[m]ultiple cybersecurity experts . . . highlight that Accellion
`FTA is a 20-year-old application designed to allow an enterprise to securely transfer large files but it is
`nearing the end of life,” and that “Accellion asked its customers late last year to switch over to a new
`product it offers called kiteworks.”26 On information and belief, Kroger failed to make the switch to
`kiteworks and knowingly continued to use FTA, exposing its customers’ Personal Information to the
`risk of theft, identity theft, and fraud.
`
`
`24The Kroger Co., Accellion Security Incident Impacts Kroger Family of Companies Associates and
`Limited Number of Customers, CISION PR NEWSWIRE (Feb. 19, 2021, 4:05 P.M.),
`https://www.prnewswire.com/news-releases/accellion-security-incident-impacts-kroger-family-of-
`companies-associates-and-limited-number-of-customers-301231891.html (last visited Mar. 11, 2021).
`25 Id.
`26 Jonathan Greig, Kroger data breach highlights urgent need to replace legacy, end-of-life tools,
`TECHREPUBLIC (Feb. 24, 2021, 6:17 A.M.), https://www.techrepublic.com/article/kroger-data-breach-
`highlights-urgent-need-to-replace-legacy-end-of-life-tools/ (last visited Mar. 15, 2021).
`
`- 12 -
`CLASS ACTION COMPLAINT
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`
`
`
`
`
`
`
`Case 5:21-cv-01887-SVK Document 1 Filed 03/17/21 Page 13 of 33
`
`
`
`48.
`The harm caused to Plaintiffs and Class Members by the Data Breach is already apparent.
`As identified herein, criminal hacker groups already are threatening Accellion’s clients with demands
`for ransom payments to prevent sensitive Personal Information from being disseminated publicly.
`49.
`Even if companies, like Kroger, that were impacted by the Accellion Data Breach pay
`these ransoms, there is no guarantee that the criminals making the ransom demands will suddenly act
`honorably and destroy the sensitive Personal Information. In fact, there is no motivation for them to do
`so, given the burgeoning market for sensitive Personal Information on the dark web.
`50.
`The Data Breach was particularly damaging given the nature of Accellion’s FTA. In the
`words of one industry expert: “[The] vulnerabilities [in Accellion’s FTA] are particularly damaging,
`because in a normal case an attacker has to hunt to find your sensitive files, and it’s a bit of a guessing
`game, but in this case the work is already done . . . By definition everything sent through Accellion was
`pre-identified as sensitive by a user.”27
`51.
`The Data Breach creates a heightened security concern for Plaintiffs and Class Members
`because SSNs and sensitive health and prescription information was included. Theft of SSNs creates a
`particularly alarming situation for victims because those numbers cannot easily be replaced. In order to
`obtain a new number, a breach victim has to demonstrate ongoing harm from misuse of her SSN, and a
`new SSN will not be provided until after the harm has already been suffered by the victim.
`52.
`Given the highly sensitive nature of SSNs, theft of SSNs in combination with other
`personally identifying information (e.g., name, address, date of birth) is akin to having a master key to
`the gates of fraudulent activity. Per the United States Attorney General, Social Security numbers “can
`be an identity thief’s most valuable piece of consumer information.”28
`53.
`Defendants had a duty to keep Plaintiffs’ and Class members’ Personal Information
`confidential and to protect it from unauthorized disclosures. Plaintiff and Class Members provided their
`
`
`27 Lily Hay Newman, The Accellion Breach Keeps Getting Worse—and More Expensive, WIRED.COM
`(Mar. 8, 2021, 7:00 A.M.), https://www.wired.com/story/accellion-breach-victims-extortion/ (quoting
`Jake Williams, founder of the security firm Rendition Infosec) (last visited Mar. 10, 2021).
`28 Fact Sheet: The Work of the President’s Identity Theft Task Force, DEP’T OF JUSTICE, (Sept. 19,
`2006), https://www.justice.gov/archive/opa/pr/2006/September/06 ag 636.html (last visited Mar. 11,
`2021).
`
`- 13 -
`CLASS ACTION COMPLAINT
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`
`
`
`
`
`
`
`Case 5:21-cv-01887-SVK Document 1 Filed 03/17/21 Page 14 of 33
`
`
`
`Personal Information to Kroger with the understanding that Kroger and any business partners to whom
`Kroger disclosed the Personal Information (i.e., Accellion) would comply with their obligations to keep
`such information confidential and secure from unauthorized disclosures.
`54.
`Defendants’ data security obligations were particularly important given the substantial
`increase in data breaches—particularly those involving health information— in recent years, which are
`widely known to the public and to anyone in Accellion’s industry of data collection and transfer.
`55.
`Data breaches are by no means new and they should not be unexpected. These types of
`attacks should be anticipated by companies that store sensitive and personally identifying information,
`and these companies must ensure that data privacy and security is adequate to protect against and prevent
`known attacks.
`56.
`It is