Wegmans Food Markets has agreed to pay $400,000 and upgrade its security practices over a data breach that exposed personal information of more than 3 million consumers nationwide, including 830,000 New Yorkers, according to New York Attorney General Letitia James.
The New York Attorney General indicated that Wegmans kept consumers’ personal information in misconfigured cloud storage containers that were open for years, making it easy for hackers or others to potentially access the information. The compromised data included usernames and passwords for Wegmans accounts, as well as customers’ names, email addresses, mailing addresses and additional data derived from drivers’ license numbers.
“Today, Wegmans is paying the price for recklessly handling and exposing millions of consumers’ personal information on the internet," said Attorney General James. "In the 21st century, there’s no excuse for companies to have poor cybersecurity systems and practices that hurt consumers.”
In April 2021, a security researcher informed Wegmans that a cloud storage container hosted on Microsoft Azure was left unsecured and open to public access, potentially exposing consumers’ sensitive information. Wegmans immediately reviewed its cloud environment and identified the container, which was misconfigured from its creation in January 2018 until April 2021. In May 2021, Wegmans discovered a second cloud storage container that was also misconfigured. The storage container was left publicly accessible since it was set up in November 2018.
Wegmans began notifying affected consumers last year whose personal information was compromised during the incident.
The grocer is required to pay New York $400,000 in penalties and must adopt new measures to protect consumers’ personal information going forward.
Family-owned Wegmans operates over 100 stores in New York, Pennsylvania, New Jersey, Virginia, Maryland and Massachusetts. The Rochester, N.Y.-based company is No. 34 on The PG 100, Progressive Grocer’s 2022 list of the top food and consumables retailers in North America.