ROCHESTER – A Western New York based grocery store chain has reached a settlement with state officials over a data breach that leaked customer information.
New York’s Attorney General announced Wegmans has agreed to pay $400,000 following a data breach that impacted more than 830,000 New Yorkers.
For years, Wegmans kept consumers’ personal information in misconfigured cloud storage containers that were open, making it easy for hackers or others to potentially access the information.
The compromised data included usernames and passwords for Wegmans accounts, as well as customers’ names, email addresses, mailing addresses, and additional data derived from drivers’ license numbers.
As a result of Attorney General James’ action, Wegmans is also required to upgrade its data security practices to protect consumers.
Going forward, Wegmans must adopt new measures to protect consumers’ personal information going forward, including:
- Maintaining a comprehensive information security program that includes regular updates to keep pace with changes in technology and security threats and reporting security risks to the company’s leadership;
- Maintaining appropriate asset management practices, including maintaining an inventory of all cloud assets;
- Establishing policies and procedures to ensure all cloud assets containing personal information have appropriate access controls to limit access to such information;
- Developing a penetration testing program that includes at least one annual comprehensive penetration test of Wegmans’ cloud environment;
- Implementing centralized logging and monitoring of cloud asset activity, including logs that are readily accessible for a period of at least 90 days and stored for at least one year from the date the activity was logged;
- Establishing appropriate password policies and procedures for customer accounts, including hashing stored passwords with a hashing algorithm and salting policy commensurate with NIST standards, encouraging customers to use strong passwords, educating customers on the benefits of multifactor authentication, and prohibiting password reuse;
- Maintaining a reasonable vulnerability disclosure program that allows third parties, such as security researchers, to disclose vulnerabilities;
- Establishing appropriate practices for customer account management and authentication, including notice, a security challenge, or re-authentication for account changes; and,
- Updating its data collection and retention practices, including only collecting a customer’s personal information when there is a reasonable business purpose for collection and deleting personal information when there is no longer a reasonable business purpose to retain such information — for information collected prior to the effective date of the agreement, Wegmans will permanently delete all personal information for which no reasonable purpose exists within 240 days of the effective date.