Coronavirus (COVID-19) Support Resource Center

Keller Rohrback Investigates Equifax Data Breaches Involving Over 435,000 Employees of The Kroger Co., Stanford University And Northwestern University

Keller Rohrback L.L.P. is investigating recent reports of data breaches at big-three credit bureau Equifax Inc. (EFX) affecting current and former employees of grocery retailer The Kroger Co. (KR), Stanford University and Northwestern University.

Grocery retailer Kroger Co., which does business as popular grocery chains including QFC, Fred Meyer and Ralphs, sent employees a letter on May 5, 2016, stating: “It appears that unknown individuals have accessed [Equifax’s] W-2Express website using default log-in information based on Social Security numbers (SSN) and dates of birth.”

Equifax provides the W-2Express service to large employers such as Kroger Co., which makes employee electronic W-2 forms accessible over Equifax’s website.  The W-2Express database currently has at least 431,000 current and former Kroger employees registered, and the data accessed included W2 forms which lists Social Security numbers, salaries and addresses.

Kroger spokesman Keith Dailey said other companies that relied on Equifax for W-2 data also relied on the last four digits of the SSN and 4-digit birth year as authenticators. “As far as I know, it’s the standard Equifax setup,” Dailey said.  Last month, Stanford University, with 3,500 employees registered on the W-2Express database, alerted current and former employees that their data was similarly accessed by ID thieves via Equifax’s W-2Express portal. Similarly, Northwestern University had 300 employees’ salary and tax data accessed from the portal as well.  ID thieves go after W-2 data because it contains much of the information needed to fraudulently request a tax refund from the IRS in someone else’s name.

“Equifax’s decision to use Social Security number and date of birth information as default login credentials to access W-2 form information has made these employees low-hanging fruit for cyber criminals, who can use this information to target these employees for identity theft indefinitely,” said Keller Rohrback attorney Amy Hanson.

If you are concerned that your personal information was breached and would like to know more about your rights, please contact attorneys Cari Campen Laufenberg or Amy Hanson at (800) 315-0177 or via email at

Keller Rohrback is a leader in representing employee, patient and consumer victims of data breaches.  Keller Rohrback has a long track-record of success with data breach litigation, including the Ninth Circuit case Krottner v. Starbucks, where the court held that the theft of a laptop containing employees’ personally identifiable information sufficed to confer Article III standing on plaintiffs.

The firm serves in leadership roles in the Sony Pictures Data Breach case, currently pending in the Central District of California, as well as in the VTech Electronics and Experian data breach cases. In addition, Keller Rohrback also represents plaintiffs in the Target consumer litigation, as well as the data breach cases pending against Anthem Inc., Excellus BlueCross BlueShield, and Medical Informatics Engineering.

Keller Rohrback, with offices in New York, Seattle, Phoenix, Oakland, Ronan and Santa Barbara, serves as lead and co-lead counsel in class actions throughout the country. Our Complex Litigation Group is proud to offer its expertise to clients nationwide, and our trial lawyers have obtained judgments and settlements on behalf of clients in excess of seven billion dollars.


Contact Us

If you are concerned that your personal information was breached and would like to know more about your rights, please contact attorney Cari Campen Laufenberg at (800) 315-0177 or via email at

Website Design by 3Circle Media