Grocery chain Wegmans will pay $400,000 in penalties to New York, as well as upgrade its data security practices, following an data breach that exposed the personal information of more than three million customers nationwide, including more than 830,000 New Yorkers, according to the state's attorney general.
The compromised information included usernames and passwords to Wegmans accounts, customers' names, emails, addresses and other data fro, drivers' license numbers, according to according to New York Attorney General Letitia James.
“Wegmans failed to safely store and seal its consumers’ personal information, instead it left sensitive information out in the open for years,” James said. “Today, Wegmans is paying the price for recklessly handling and exposing millions of consumers’ personal information on the internet. In the 21st century, there’s no excuse for companies to have poor cybersecurity systems and practices that hurt consumers.”
According to the attorney general, in April 2021, a security researcher told Wegmans that a cloud storage container was left unsecured and open to public access, possibly exposing consumers’ sensitive information. The container was allegedly misconfigured from its creation in January 2018 until April 2021, and at some point an unauthorized actor could have accessed and cracked account credentials. In May 2021, Wegmans discovered a second cloud storage container with customers' personal information that was also misconfigured. The following month, Wegmans began informing the customers whose personal information was compromised.
Get Tri-state area news and weather forecasts to your inbox. Sign up for NBC New York newsletters.
According to the attorney general's office, Wegmans will adopt new measures, on top of the thousands of dollars it agreed to pay. Some of the measures include:
- Keeping an information security program that includes regular updates to keep pace with changes in technology and security threats;
- Reporting security risks to the company's leadership;
- Maintaining appropriate asset management practices, including maintaining an inventory of all cloud assets;
- Establishing policies and procedures to ensure all cloud assets containing personal information have appropriate access controls to limit access to such information;
- Developing a penetration testing program that includes at least one annual comprehensive penetration test of Wegmans’ cloud environment;
- Establishing appropriate password policies and procedures for customer accounts, including encouraging customers to use strong passwords, educating customers on the benefits of multifactor authentication, and prohibiting password reuse;
- Maintaining a reasonable vulnerability disclosure program that allows third parties, such as security researchers, to disclose vulnerabilities;
- Establishing appropriate practices for customer account management and authentication, including notice, a security challenge, or re-authentication for account changes; and,
- Updating its data collection and retention practices.
In a statement to News 4 New York, the supermarket chain said it takes security seriously and that it has improved its processes after the breach was discovered, although there was no evidence that the data was accessed improperly or misused.
"Wegmans takes security of customer information very seriously and immediately remedied the situation once it was discovered," the supermarket chain said in its statement. "We have improved our processes to better protect customer information in the future. While we do not agree with some of the conclusions drawn by the attorney general, we cooperated fully in the investigation and are glad it has been concluded."
Wegmans went on to say: "This was a configuration issue with two cloud storage containers, and did not involve any other part of the Wegmans network. This type of configuration issue is common, unfortunately, and Wegmans has redoubled its efforts to avoid the issue in the future. There was also no indication that customer data was accessed improperly or otherwise misused. No customer credit card or other sensitive data was involved."