Wegmans Food Markets has been hit with a $400,000 penalty for exposing the personal information of more than 3 million customers chainwide, including more than 830,000 New Yorkers, the New York State Attorney General’s Office announced Thursday.
In a statement, the office said that for years, Wegmans kept the personal information of its customers “misconfigured" in a cloud computing system with containers that were open, "making it easy for hackers and others to potentially access the information.” In addition, the company failed to maintain long-term logs of cloud assets, which made it difficult to investigate security incidents.
The compromised data included usernames and passwords for Wegmans accounts, as well as customers’ names, email addresses, mailing addresses and data derived from driver’s license numbers.
“Wegmans failed to safely store and seal its consumers’ personal information, instead it left sensitive information out in the open for years,” state Attorney General Letitia James stated. “Today, Wegmans is paying the price for recklessly handling and exposing millions of consumers’ personal information on the internet. In the 21st century, there’s no excuse for companies to have poor cybersecurity systems and practices that hurt consumers.”
In April 2021, a security researcher informed Wegmans that a cloud storage container hosted on Microsoft Azure was left unsecured and open to public access, potentially exposing consumers’ sensitive information, the AG’s office said.
Wegmans immediately reviewed its cloud environment and identified the container, which had a database backup file with over 3 million records of customer email addresses and account passwords. The container was misconfigured from its creation in January 2018 until April 2021, according to the AG's office.
In May 2021, Wegmans discovered that a second cloud storage container was misconfigured. That storage container, publicly accessible since being set up in November 2018, housed a database that included customers’ names, email addresses, mailing addresses and data from driver’s license numbers.
In June 2021, Wegmans began notifying customers whose personal information was compromised.
At that time, the company told customers that Wegmans.com account passwords were “hashed” and “salted,” meaning that actual password characters were not contained in the databases.
However, Wegmans advised that, “as a conservative measure, you can change the password to your Wegmans.com account, as well as for any other account for which you use the same password.”
On Thursday, Wegmans said there is no indication that any customer data was actually accessed or misused.
Besides paying the $400,000 penalty, the AG’s office said Wegmans will be required to adopt new measures to protect customer information.
In a statement, the company said once it became aware of the problems, it immediately took steps to correct them.
“We have improved our processes to better protect customer information in the future,” it said. “While we do not agree with some of the conclusions drawn by the attorney general, we cooperated fully in the investigation and are glad it has been concluded.”
Founded in 1916 in Rochester, Wegmans now operates more than 100 stores in seven states and employs more than 50,000 people.
Reporter Marcia Greenwood covers general assignments. Send story tips to firstname.lastname@example.org. Follow her on Twitter @MarciaGreenwood.
This article originally appeared on Rochester Democrat and Chronicle: Wegmans hit with $400,000 data-breach penalty