NY Hits Wegmans with $400K Penalty For Breach Exposing Customer Data

NEW YORK — A New York-based supermarket will be paying the price for failing to properly secure customers' sensitive personal information.

The state of New York has secured $400,000 from the grocery store chain, Wegmans, for a data breach that exposed the personal information of more than three million consumers nationwide, including 830,000 New Yorkers, NY Attorney General Letitia James announced Thursday.

According to the AG, for many years, Wegmans kept customer data in misconfigured cloud storage containers that were open, which made it easy for hackers or others to potentially access the information. The compromised data included usernames, passwords, names, email addresses, mailing addresses and driver's license numbers.

James said in addition to the cash penalties, she will be requiring Wegmans to upgrade its data security practices to protect consumers.

SEE ALSO: Wegmans Warns Customers' Personal Info May Have Been Exposed

“Wegmans failed to safely store and seal its consumers’ personal information, instead it left sensitive information out in the open for years,” James said in a statement announcing the agreement. "Today, Wegmans is paying the price for recklessly handling and exposing millions of consumers’ personal information on the internet. In the 21st century, there’s no excuse for companies to have poor cybersecurity systems and practices that hurt consumers."

In April of 2021, a security researcher notified Wegmans that a cloud storage container hosted on Microsoft Azure was left unsecured and open to public access, potentially exposing customer data. The company reviewed its cloud environments and identified the container, which had a database backup file with over three million customer data records. The container was misconfigured from January 2018 - April 2021, during which it would have been possible for an unauthorized actor to access and crack customer account credentials. In May of last year, Wegmans found a second cloud storage container that was also misconfigured and left publicly accessible with detailed customer details.

In June of 2021, Wegmans began notifying affected consumers whose personal data was compromised during the incident. The AG's office determined that, in addition to failing to appropriately configure the containers to limit access to their contents, Wegmans also failed to inventory its cloud assets containing personal data, secure user passwords or regularly conduct security testing on its cloud assets. The company also stored driver's license data indefinitely without a reasonable business purpose to do so. In addition, Wegmans also failed to maintain long-term logs of its cloud assets, making it difficult to investigate security breaches, according to the AG.

As a result of Thursday's agreement, Wegmans will be required to pay New York $400,000 in penalties. In addition, the company must adopt new measures to protect customer data:

• Maintain a comprehensive information security program that is regularly updated and report security risks to company's leadership.
• Maintain appropriate asset management practices, including an inventory of all cloud assets.
• Establish policies and procedures to ensure all cloud assets with personal data have appropriate access controls.
• Develop a penetration testing program, including at least one annual comprehensive penetration test of Wegmans’ cloud environment.
• Implement centralized logging and monitoring of cloud asset activity, including logs that are readily accessible for at least 90 days and stored for at least one year from the date the activity was logged.
• Establish appropriate password policies and procedures for customer accounts, including hashing stored passwords with a hashing algorithm and salting policy commensurate with NIST standards, encouraging customers to use strong passwords, educating customers on the benefits of multifactor authentication and prohibiting password reuse.
• Maintain a reasonable vulnerability disclosure program that allows third parties to disclose vulnerabilities.
• Establish appropriate practices for customer account management and authentication, including notice, a security challenge, or re-authentication for account changes.
• Update data collection and retention practices, including only collecting a customer’s personal data when there is a reasonable business purpose to do so and deleting personal information when there is no longer a need — for information collected prior to the effective agreement date, Wegmans will permanently delete all personal data for which no business reason exists within 240 days of the effective date.