Wegmans, American supermarket chain, has disclosed a data breach incident. Headquartered in Gates, New York, Wegmans has 106 stores in the mid-Atlantic and Northeastern regions.

According to a press release, Wegmans recently became aware that due to a previously undiscovered configuration issue, two of their databases, used for business purposes and internal to Wegmans, were inadvertently left open to "potential outside access." 

The types of impacted customer information included: names, addresses, phone numbers, birth dates, Shoppers Club numbers, as well as e-mail addresses and passwords for access to Wegmans.com accounts. All impacted Wegmans.com account passwords were, in technical terms, “hashed” and “salted,” meaning that the actual password characters were not contained in the databases. Social security numbers were not impacted, as Wegmans says it does not collect this information from its customers, nor was any payment card or banking information involved.

The incident, Wegmans says, was first brought to their attention by a third-party security researcher and then confirmed the configuration problem, beginning on or about April 19, 2021. Wegmans then worked with a leading forensics firm to investigate and determine the incident’s scope, identify the information in the two databases, ensure the integrity and security of their systems, and correct the issue. 

Kevin Dunne, President at Pathlock, a Flemington, N.J.-based provider of unified access orchestration, says, "The recent breach notification from Wegman's highlights a recurring trend we are seeing: enterprises are storing more customer information than ever in their business applications.  As remote work and digital transformation initiatives push these systems into the cloud, it is common to find many of these business systems are publicly available to the internet, and loosely secured.  CISO's and Data Privacy officers need to work with the business to understand what critical customer information is being stored where, at an organization wide level.  Unprotected data silos that are operated by the business undermine the work that security and data teams do to maintain strict controls over the core internal systems.  When these business systems aren't overseen by the information security and information technology teams, they can introduce a new risk loophole that risks compliance with data privacy regulations like GDPR and CCPA."

Wegmans have since corrected configurations and secured all affected information, and also taken steps to avoid the occurrence of similar issues in the future. 

Erkang Zheng, Founder and CEO at JupiterOne, a Morrisville, N.C.-based provider of cyber asset management and governance solutions, explains, "Configuration hygiene for cloud resources sounds basic, however, often times it is very hard to do the basics well, at scale. Especially when individual configurations that seem benign on its own may cause significant harm in combination. We need a graph-based approach to “connect the dots” when it comes to understanding cyber assets."

"The ability to detect and respond in real time is an essential part of modern security.  Misconfiguration issues don’t seem to be going away any time soon, which means customers that rely on everything being 100% correct will be sorely disappointed when reality strikes," says Tim Wade, Technical Director, CTO Team at Vectra, a San Jose, Calif.-based AI cybersecurity company. "There needs to be a holistic approach to security – yes, minimizing misconfiguration and hardening services is part of that holistic approach – but until organizations have a plan to identify the breach in real time, this type of activity will continue."