NEW YORK — A grocery store chain in Western New York is paying the state for a data breach that compromised the personal information of customers.
On Thursday, New York Attorney General Letitia James announced she secured $400,000 from Wegmans for exposing the personal information of more than 830,000 New Yorkers and more than 3 million people nationwide.
Wegmans kept personal information in cloud storage that the Attorney General's Office says were open and easy for hackers or others to access the data.
The compromised data included usernames and passwords for Wegmans accounts, as well as names, email addresses, mailing addresses and additional data derived from drivers' license numbers.
“Wegmans failed to safely store and seal its consumers’ personal information, instead it left sensitive information out in the open for years,” James said. “Today, Wegmans is paying the price for recklessly handling and exposing millions of consumers’ personal information on the internet. In the 21st century, there’s no excuse for companies to have poor cybersecurity systems and practices that hurt consumers.”
In April of 2021, Wegmans was notified by a security researcher that its cloud storage container hosted on Microsoft Azure was unsecured and open to the public. Wegmans began looking into the issue and discovered that the container had been misconfigured from its creation in 2018.
In May of that year, Wegmans discovered that a second storage container was also misconfigured and exposed data to the public since it was set up in 2018.
In June of 2021, Wegmans began notifying affected customers.
The AG's office determined that in addition to the misconfiguration of storage containers, Wegmans also failed to inventory its cloud assets with personal information and regularly conduct security testing of its cloud assets. Wegmans also failed to maintain a long-term log of its could assets, which made it difficult to investigate the incident.
As a part of the agreement, Wegmans will pay $400,000 in penalties, as well as adopt new measures to protect consumers' personal information including:
- Maintaining a comprehensive information security program that includes regular updates to keep pace with changes in technology and security threats and reporting security risks to the company's leadership.
- Maintaining appropriate asset management practices, including maintaining an inventory of all cloud assets.
- Establishing policies and procedures to ensure all cloud assets containing personal information have appropriate access controls to limit access to such information.
- Developing a penetration testing program that includes at least one annual comprehensive penetration test of Wegmans’ cloud environment.
- Implementing centralized logging and monitoring of cloud asset activity, including logs that are readily accessible for a period of at least 90 days and stored for at least one year from the date the activity was logged.
- Establishing appropriate password policies and procedures for customer accounts, including hashing stored passwords with a hashing algorithm and salting policy commensurate with NIST standards, encouraging customers to use strong passwords, educating customers on the benefits of multifactor authentication, and prohibiting password reuse.
- Maintaining a reasonable vulnerability disclosure program that allows third parties, such as security researchers, to disclose vulnerabilities.
- Establishing appropriate practices for customer account management and authentication, including notice, a security challenge, or re-authentication for account changes.
- Updating its data collection and retention practices, including only collecting a customer’s personal information when there is a reasonable business purpose for collection and deleting personal information when there is no longer a reasonable business purpose to retain such information — for information collected prior to the effective date of the agreement, Wegmans will permanently delete all personal information for which no reasonable purpose exists within 240 days of the effective date.
Wegmans released the following statement on the agreement:
"Wegmans takes security of customer information very seriously and immediately remedied the situation once it was discovered. We have improved our processes to better protect customer information in the future. While we do not agree with some of the conclusions drawn by the attorney general, we cooperated fully in the investigation and are glad it has been concluded.
"This was a configuration issue with two cloud storage containers, and did not involve any other part of the Wegmans network. This type of configuration issue is common, unfortunately, and Wegmans has redoubled its efforts to avoid the issue in the future. There was also no indication that customer data was accessed improperly or otherwise misused. No customer credit card or other sensitive data was involved."