CINCINNATI — Grocery and convenience-store giant Kroger may have fallen victim to a data breach involving employee tax and salary information as part of an incident with credit bureau Equifax Inc., according to the blog Krebs on Security.

Citing a letter the Cincinnati-based Kroger sent to current and former employees, the grocery chain, which also operates about 1,500 c-stores of varying retail brands, said identity thieves stole tax and security data from Atlanta-based Equifax in a scheme involving default passwords, the blog said. Equifax’s W-2Express site is a portal that allows employees access to payroll and tax information via a personal identification number (PIN) that was the last four digits of an employee’s Social Security number and date of birth, which cybercriminals apparently obtained through another source, the blog said.

“We have no indication that Kroger’s systems have been compromised,” reported Krebs on Security about the contents of the Kroger letter.  “At this time, we have no indication that associates who had created a new password [those who did not use the default PIN] were affected, and we are still identifying which associates still using the default PIN may have been affected. We believe individuals gained access to some Kroger associates’ electronic W-2 forms and may have used the information to file tax returns in their names in an effort to claim a fraudulent refund.

“Kroger is working with Equifax and the authorities to determine who is affected and restore secure access to W-2Express. At this time, we believe you are among our current and former Kroger associates using the default PIN in the W-2Express system. This does not necessarily mean your W-2 was accessed as part of this security incident. We are still working to identify which individuals’ information was accessed.”

In a statement released to CSP Daily News, Dianne Bernez, senior vice president, corporate communications for Equifax, confirmed that the company had been made aware of suspected fraudulent access to payroll information through its W-2Express service by Kroger.

“The information in question was accessed by unauthorized individuals who were able to gain access by using users’ personally identifiable information,” the statement said. “We have no reason to believe the personally identifiable information was attained through Equifax systems. Unfortunately, as individuals’ personally identifiable information has become more publicly available, these types of online fraud incidents have escalated. As a result, it is critical for consumers and businesses to take steps to protect consumers’ personally identifiable information including the use of strong passwords and PIN codes. We are working closely with Kroger to assess and monitor the situation.”

Kroger officials did not respond to requests for details.