Wegmans to Pay $400,000 Following Data Breach
New York Attorney General Letitia James has announced that earlier today, she secured a $400,000 payout from Wegmans after a data breach exposed over three million customers' personal information.
In her press release, Attorney General James stated that customer information was kept in misconfigured cloud storage containers that were open and easy for hackers to access the information. The data contained customers' usernames and passwords for Wegmans accounts, names, emails, mailing addresses and additional data from drivers' license numbers.
Attorney General James said "Today, Wegmans is paying the price for recklessly handling and exposing millions of consumers' personal information on the internet. In the 21st century, there's no excuse for companies to have poor cybersecurity systems and practices that hurt consumers."
In addition to paying the $400,000, Wegmans will also be required to drastically improve their cybersecurity measures to protect consumers' personal data. Those improvements include developing a penetration testing program with at least one annual test, upgrading password protection policies including hashing stored passwords with a hashing algorithm and salting policy commensurate with NIST standards, and upgrading customer account management and authentication including notice, a security challenge or re-authentication for account changes.
Attorney General James also noted that the data storage container was misconfigured from its creation in January 2018 until April 2021 when a security researcher informed Wegmans about the potential issues with their data management. That storage container was hosted on Microsoft Azure and was unsecure and open for public access. Of the three million customers that had their personal information breached, over 830,000 of them were New Yorkers.