Grocery store chain Wegmans is paying $400,000 in penalties to New York State after its data breach exposed the personal information of more than 3 million consumers nationwide, including more than 830,000 New Yorkers. Wegmans is also required to upgrade its data-security practices to protect consumers, New York Attorney General Letitia James said in a […]
Grocery store chain Wegmans is paying $400,000 in penalties to New York State after its data breach exposed the personal information of more than 3 million consumers nationwide, including more than 830,000 New Yorkers.
Wegmans is also required to upgrade its data-security practices to protect consumers, New York Attorney General Letitia James said in a June 30 announcement.
“For years,” Wegmans kept consumers’ personal information in “misconfigured” cloud storage containers that were open, making it easy for hackers or others to potentially access the information, James’ office said.
The compromised data included usernames and passwords for Wegmans accounts, along with customers’ names, email addresses, mailing addresses, and additional data derived from drivers’-license numbers.
“Wegmans failed to safely store and seal its consumers’ personal information, instead it left sensitive information out in the open for years,” James said. “Today, Wegmans is paying the price for recklessly handling and exposing millions of consumers’ personal information on the internet. In the 21st century, there’s no excuse for companies to have poor cybersecurity systems and practices that hurt consumers.”
Probe details
In April 2021, a security researcher informed Wegmans that a cloud-storage container hosted on Microsoft Azure was left unsecured and open to public access, “potentially exposing” consumers’ sensitive information, James’ office said.
Wegmans “immediately reviewed” its cloud environment and identified the container, which had a database backup file with over 3 million records of customer email addresses and account passwords. The container was misconfigured from its creation in January 2018 until April 2021.
During that time, an unauthorized actor could have accessed and cracked account credentials, using them to log into customers’ Wegmans accounts or to access consumers’ accounts on a different website if the customers had reused their passwords.
In May 2021, Wegmans discovered a second cloud-storage container that was also misconfigured. The storage container, which was left publicly accessible since it was set up in November 2018, housed a database that included customers’ names, email addresses, mailing addresses, and additional data derived from drivers’-license numbers.
In June 2021, Wegmans began notifying affected consumers whose personal information was compromised during the incident.
James’ office determined that, in addition to failing to appropriately configure the cloud-storage containers to limit access to its contents, at the time of the incident, Wegmans failed to inventory its cloud assets containing personal information, secure all user passwords, and regularly conduct security testing of its cloud assets.
In addition, Wegmans maintained checksums derived from customers’ driver’s license numbers “without a reasonable business purpose” to maintain any form of driver’s license information “indefinitely.”
Wegmans also failed to maintain long-term logs of its cloud assets, which made it “difficult to investigate security incidents,” James’ office said.
Protection measures
Besides the $400,000 in penalties, Wegmans must also adopt new measures to protect consumers’ personal information going forward.
The company must maintain a “comprehensive” information-security program that includes regular updates to keep pace with changes in technology and security threats and reporting security risks to the company’s leadership.
It must also maintain appropriate asset-management practices, including maintaining an inventory of all cloud assets.
Wegmans will also establish policies and procedures to ensure all cloud assets containing personal information have appropriate access controls to limit access to such information. It will also develop a penetration-testing program that includes at least one annual “comprehensive” penetration test of Wegmans’ cloud environment.
In addition, Wegmans is implementing centralized logging and monitoring of cloud-asset activity, including logs that are readily accessible for a period of at least 90 days and stored for at least one year from the date the activity was logged.
The grocery-store chain is also establishing appropriate password policies and procedures for customer accounts, including hashing stored passwords with a hashing algorithm and salting policy commensurate with NIST standards, encouraging customers to use strong passwords, educating customers on the benefits of multifactor authentication, and prohibiting password reuse.
Wegmans is also maintaining a “reasonable” vulnerability-disclosure program that allows third parties, such as security researchers, to disclose vulnerabilities. It’s also establishing appropriate practices for customer-account management and authentication, including notice, a security challenge, or re-authentication for account changes.
The company is also updating its data collection and retention practices, including only collecting a customer’s personal information “when there is a reasonable business purpose for collection and deleting personal information when there is no longer a reasonable business purpose to retain such information. For information collected prior to the effective date of the agreement, Wegmans will permanently delete all personal information for which no reasonable purpose exists within 240 days of the effective date,” James’ office said.
Wegmans reaction
In a company statement, Wegmans says it takes security of customer information “very seriously and immediately remedied the situation once it was discovered.”
“We have improved our processes to better protect customer information in the future. While we do not agree with some of the conclusions drawn by the attorney general, we cooperated fully in the investigation and are glad it has been concluded,” Wegmans said. “This was a configuration issue with two cloud storage containers, and did not involve any other part of the Wegmans network. This type of configuration issue is common, unfortunately, and Wegmans has redoubled its efforts to avoid the issue in the future. There was also no indication that customer data was accessed improperly or otherwise misused. No customer credit card or other sensitive data was involved.”