On June 30, 2022, the New York Office of the Attorney General (“NYOAG”) announced a $400,000 agreement with Wegmans Food Markets, Inc. (“Wegmans”) in connection with a cloud storage security issue. The NYOAG alleges that Wegmans exposed the personal information of three million consumers by storing the data in misconfigured cloud storage containers.
In April 2021, a security researcher informed Wegmans, a New York-based supermarket chain, that one of the company’s cloud storage containers hosted on Microsoft Azure was left unsecured and open to public access, potentially exposing customers’ personal information. The cloud storage container was publicly accessible from its creation in January 2018 and housed a database backup file of over three million records of customer email addresses and account passwords.
In May 2021, Wegmans discovered a second misconfigured cloud storage container. The second container, misconfigured from its creation in November 2018, contained a database with customers’ names, email addresses, mailing addresses and additional data derived from drivers’ license numbers. In June 2021, Wegmans began notifying affected customers whose personal information was compromised by the issue.
In addition to paying a $400,000 penalty, the agreement requires Wegmans to adopt new data security measures, including:
- maintaining a comprehensive information security program;
- maintaining appropriate asset management practices;
- establishing policies and procedures to ensure all cloud assets containing personal information have appropriate access controls to limit access to such information;
- developing a penetration testing program that includes at least one annual comprehensive penetration test of Wegmans’ cloud environment;
- implementing centralized logging and monitoring of cloud asset activity;
- establishing appropriate password policies and procedures for customer accounts;
- maintaining a reasonable vulnerability disclosure program that allows third parties, such as security researchers, to disclose vulnerabilities;
- establishing appropriate practices for customer account management and authentication; and
- updating its data collection and retention practices, including only collecting a customer’s personal information when there is a reasonable business purpose for collection and deleting personal information when there is no longer a reasonable business purpose to retain such information.