On May 6, 2016, Kroger had to notify 430,000+ current employees and former employees that their W-2 information had been breached. Unfortunately, the breach took place through a third party vendor, Equifax W-2 eXpress site.
Three parties are involved in and affected by this breach: Kroger, Equifax, and Kroger’s current and past employees. All the facts are not yet in, but we know enough at this point to explore the details of what happened, as well as what each party (and others like them) could do in the future to make breaches like this far less likely to happen—and less damaging when they do.
Kroger hired Equifax to provide its convenient, electronic W-2 system to Kroger employees. In its email to employees, the retail giant acknowledges that Equifax’s W-2 eXpress site uses default login information based on SSNs and dates of birth (according to Krebs on Security, only the four-digit birth year is needed). As this breach and others like it have shown, SSNs and birth information are relatively easy for criminals to acquire.
To read the full article, click here.