Following the data breach, Wegmans announces in a press release that two of its internal databases were open to outside access due to an undetected configuration issue, according to Security Magazine.
The incident was first reported around April 19, 2021 by an outside security researcher. The leaked data includes the following types of customer information: phone numbers, names, addresses, shopper club numbers, birth dates, and email addresses along passwords to access accounts on their website.
Luckily, Wegmans assures that all passwords were securely stored in a hashed and salted form and were not recorded in the databases. Moreover, critical data such as social security numbers, credit cards, or banking information, was not stolen as the company does not collect this type of information.
Wegmans fixed the issues and secured the impacted data
Wegmans proceeded to correct the configuration errors and secured the affected data.Moreover, thanks to the help of a forensics firm, they took measures to avoid similar incidents in the future.
Kevin Dunne, President at Pathlock, says “The recent breach notification from Wegman’s highlights a recurring trend we are seeing: enterprises are storing more customer information than ever in their business applications. As remote work and digital transformation initiatives push these systems into the cloud, it is common to find many of these business systems are publicly available to the internet, and loosely secured”.
He added that CISO and Data Privacy officers must work together with the company to figure out where key customer data should be stored, organization-wide. The need for a unified system also comes from the need of compliance with data protection standards such as GDPR and CCPA.
Erkang Zheng, CEO at JupiterOne, explained that cloud systems should be configured cleanly and securely, even if it is hard to do so at scale. He emphasized that even configurations that don’t look dangerous on their own can lead to significant damage when combined.