NEW YORK, N.Y. (WNCN) — New York’s Attorney General has secured $400,000 from grocery store chain, Wegmans, for exposing the personal information of more than three million consumers nationwide, according to a release.

For years, it says Wegmans kept the information in misconfigured cloud storage containers that were open, making it easy for hackers to access.

The compromised data included usernames and passwords for Wegmans accounts, along with consumers’ names, email addresses, mailing addresses, driver’s license numbers and additional data that can be found with that information, the release says.

“Wegmans failed to safely store and seal its consumers’ personal information, instead it left sensitive information out in the open for years,” said Attorney General Letitia James. “Today, Wegmans is paying the price for recklessly handling and exposing millions of consumers’ personal information on the internet. In the 21st century, there’s no excuse for companies to have poor cybersecurity systems and practices that hurt consumers.”

According to the release, the breach was initially discovered in April 2021 when a researcher told Wegmans that a cloud storage container hosted on Microsoft Azure was left unsecured and open to public access.

The press release says the container had a database backup file that held more than three million records of customer email addresses and account passwords.

Upon reviewing their cloud environment, the release says Wegmans discovered the container was misconfigured from its creation in January 2018 to April 2021.

In May 2021, a second cloud storage container was found to be misconfigured.

The press release says this one had been left publicly accessible since it was set up in November 2018 and included information like customers’ names, email addresses, mailing addresses, driver’s license numbers and data that can be found with that information.

In June 2021, Wegmans started notifying consumers whose personal information was compromised, according to the release.

It says the Office of the Attorney General determined that Wegmans failed to inventory its cloud assets containing personal information, secure all user passwords, and regularly conduct security testing of its cloud assets.

Officials also say that Wegmans did not have a ‘reasonable business purpose’ to have any form of driver’s license information indefinitely, and that the grocery store chain did not maintain long-term logs of its cloud assets, which made it difficult to investigate security incidents.

In addition to the $400,000 penalties, the agreement requires Wegmans to upgrade its data security practices and adopt new measures to protect consumers’ personal information.

The update includes:

  • An information security program that includes regular updates to keep pace with changes in technology and security threats and reporting threats to company leadership
  • Maintaining appropriate asset management practices, including maintaining an inventory of all cloud assets
  • Establishing policies and procedures to ensure all cloud assets containing personal information have appropriate access controls to limit access to such information
  • Developing a penetration testing program that includes at least one annual comprehensive penetration test of Wegmans’ cloud environment
  • Implementing centralized logging and monitoring of cloud asset activity, including logs that are readily accessible for a period of at least 90 days and stored for at least one year from the date the activity was logged
  • Establishing appropriate password policies and procedures for customer accounts, including hashing stored passwords with a hashing algorithm and salting policy commensurate with NIST standards, encouraging customers to use strong passwords, educating customers on the benefits of multifactor authentication and prohibiting password reuse
  • Maintaining a reasonable vulnerability disclosure program that allows third parties, such as security researchers, to disclose vulnerabilities
  • Establishing appropriate practices for customer account management and authentication, including notice, a security challenge, or re-authentication for account changes
  • Updating its data collection and retention practices

Wegmans issued the following statement:

Wegmans takes security of customer information very seriously and immediately remedied the situation once it was discovered. We have improved our processes to better protect customer information in the future. While we do not agree with some of the conclusions drawn by the attorney general, we cooperated fully in the investigation and are glad it has been concluded.  

This was a configuration issue with two cloud storage containers, and did not involve any other part of the Wegmans network. This type of configuration issue is common, unfortunately, and Wegmans has redoubled its efforts to avoid the issue in the future. There was also no indication that customer data was accessed improperly or otherwise misused. No customer credit card or other sensitive data was involved.