Wegmans Agrees to Pay $400,000 Penalty After Cloud Security Lapse

Posted on July 14, 2022

Posted in Cybersecurity, Enforcement, Information Security, Online Privacy, U.S. State Law

On June 30, 2022, the New York Office of the Attorney General (“NYOAG”) announced a $400,000 agreement with Wegmans Food Markets, Inc. (“Wegmans”) in connection with a cloud storage security issue. The NYOAG alleges that Wegmans exposed the personal information of three million consumers by storing the data in misconfigured cloud storage containers.

In April 2021, a security researcher informed Wegmans, a New York-based supermarket chain, that one of the company’s cloud storage containers hosted on Microsoft Azure was left unsecured and open to public access, potentially exposing customers’ personal information. The cloud storage container was publicly accessible from its creation in January 2018 and housed a database backup file of over three million records of customer email addresses and account passwords.

In May 2021, Wegmans discovered a second misconfigured cloud storage container. The second container, misconfigured from its creation in November 2018, contained a database with customers’ names, email addresses, mailing addresses and additional data derived from drivers’ license numbers. In June 2021, Wegmans began notifying affected customers whose personal information was compromised by the issue.

Among other problems, the NYOAG alleges that Wegmans failed to (1) appropriately configure the cloud storage containers to limit access to their contents; (2) inventory its cloud assets containing personal information; (3) secure all user passwords; (4) regularly conduct security testing of its cloud assets; and (5) maintain long-term logs of its cloud assets. In its agreement with the Wegmans, the NYOAG noted that the company’s online privacy policy claimed to make securing customers’ personal information “a top priority.” As a result, the NYOAG alleges Wegmans violated New York data security and consumer protection laws.

In addition to paying a $400,000 penalty, the agreement requires Wegmans to adopt new data security measures, including:

maintaining a comprehensive information security program;
maintaining appropriate asset management practices;
establishing policies and procedures to ensure all cloud assets containing personal information have appropriate access controls to limit access to such information;
developing a penetration testing program that includes at least one annual comprehensive penetration test of Wegmans’ cloud environment;
implementing centralized logging and monitoring of cloud asset activity;
establishing appropriate password policies and procedures for customer accounts;
maintaining a reasonable vulnerability disclosure program that allows third parties, such as security researchers, to disclose vulnerabilities;
establishing appropriate practices for customer account management and authentication; and
updating its data collection and retention practices, including only collecting a customer’s personal information when there is a reasonable business purpose for collection and deleting personal information when there is no longer a reasonable business purpose to retain such information.

Menu

Privacy & Information Security Law Blog

Attorney Advertising

About Our Practice Group