Wegmans Notifies Customers of Data Leak

Wegmans Notifies Customers of Data Leak

U.S. regional supermarket chain Wegmans informed customers that some personally identifying information data became exposed due to a data leak. 

BleepingComputer originally reported this story. In a press release, Wegmans stated: “We recently became aware that, due to a previously undiscovered configuration issue, two of our cloud databases, which are used for business purposes and are meant to be kept internal to Wegmans, were inadvertently left open to potential outside access.”

“This issue was first brought to our attention by a third-party security researcher and we then confirmed the configuration problem, beginning on or about April 19, 2021.”

The Wegmans data leak appears to have exposed customers’ names, addresses, phone numbers, birth dates, Shoppers Club numbers, and Wegmans.com account e-mail addresses and (salted) passwords. However, no payment information was leaked. Wegmans warned customers of a potential credential stuffing attack some months earlier. 

We asked some cybersecurity experts for their take on the Wegmans Data Leak. Here’s what they had to say. 

Wegmans Notifies Customers of Data Leak: Expert Commentary

Kevin Dunne

Kevin Dunne is President at Pathlock

“The recent breach notification from Wegman’s highlights a recurring trend we are seeing: enterprises are storing more customer information than ever in their business applications.  As remote work and digital transformation initiatives push these systems into the cloud, it is common to find many of these business systems are publicly available to the internet, and loosely secured.  CISO’s and Data Privacy officers need to work with the business to understand what critical customer information is being stored where at an organization-wide level.  Unprotected data silos that are operated by the business undermine the work that security and data teams do to maintain strict controls over the core internal systems.  When these business systems aren’t overseen by the information security and information technology teams, they can introduce a new risk loophole that risks compliance with data privacy regulations like GDPR and CCPA.”

Tim Wade

Tim Wade is Technical Director, CTO Team at Vectra

“The ability to detect and respond in real-time is an essential part of modern security.  Misconfiguration issues don’t seem to be going away any time soon, which means customers that rely on everything being 100 perfect correct will be sorely disappointed when reality strikes.  There needs to be a holistic approach to security – yes, minimizing misconfiguration and hardening services is part of that holistic approach – but until organizations have a plan to identify the breach in real-time, this type of activity will continue.”

Trevor Morgan

Trevor Morgan is Product Manager at comforte AG

“Large retailers and grocery chains collect an enormous amount of customer data. For many grocery chains, getting the best prices often means consumers give up sensitive personal information in order to obtain a loyalty card. Of course, this is the type of data that threat actors seek because it has such high value within shadow markets.

These large enterprises have sophisticated IT infrastructures, and no doubt perimeter protections and data access controls serve as good baseline measures against intentional hacks and unintentional data access. However, when a reputable and popular grocery brand like Wegmans dutifully releases information about a data exposure due to configuration mishaps, it should remind organizations that those measures are baseline only because they protect the environment around data and not the data itself. To do that, you have to turn to data-centric protection methods like tokenization and format-preserving encryption, which replace sensitive data with representational information that cannot be leveraged, even if it falls into the wrong hands.

By all means, Wegmans is going through the proper procedures and alerting the public about mitigation efforts, but for similar enterprises that collect, handle, and process customer data, the incident should serve as food for thought—and hopefully some action.”

Thanks to the cybersecurity experts for their time and expertise on the Wegmans Data Leak. For more check out the SIEM Buyer’s Guide

Ben Canner