AG James Requires Wegmans to Improve Data Storage Security Practices to Protect Consumers
(June 30, 2022) New York – New York Attorney General Letitia James today secured $400,000 from grocery store chain, Wegmans, for exposing the personal information of more than three million consumers nationwide, including more than 830,000 New Yorkers. For years, Wegmans kept consumers’ personal information in misconfigured cloud storage containers that were open, making it easy for hackers or others to potentially access the information. The compromised data included usernames and passwords for Wegmans accounts, as well as customers’ names, email addresses, mailing addresses, and additional data derived from drivers’ license numbers. As a result of Attorney General James’ action, Wegmans is also required to upgrade its data security practices to protect consumers.
“Wegmans failed to safely store and seal its consumers’ personal information, instead it left sensitive information out in the open for years,” said Attorney General James. “Today, Wegmans is paying the price for recklessly handling and exposing millions of consumers’ personal information on the internet. In the 21st century, there’s no excuse for companies to have poor cybersecurity systems and practices that hurt consumers.”
In April 2021, a security researcher informed Wegmans that a cloud storage container hosted on Microsoft Azure was left unsecured and open to public access, potentially exposing consumers’ sensitive information. Wegmans immediately reviewed its cloud environment and identified the container, which had a database backup file with over three million records of customer email addresses and account passwords. The container was misconfigured from its creation in January 2018 until April 2021. During this time, an unauthorized actor could have accessed and cracked account credentials, using them to log in to a customer’s Wegmans account or to access a customer’s account on