In a sign that it may be stepping up enforcement of New York’s Stop Hacks and Improve Electronic Data Security Act (“SHIELD Act”), the New York Attorney General’s Office (“NYAG”) announced on June 30, 2022 that it had reached a settlement with Wegmans, the national supermarket chain, for exposing the personal information of more than three million consumers nationwide, including more than 830,000 New Yorkers.
The relevant background, per the NYAG’s findings, can be summarized as follows: In the spring of 2021, Wegmans learned from a security researcher that a misconfigured cloud storage container on Microsoft Azure and database backup file potentially made over three million customers’ personal information publicly accessible. Upon subsequent investigation, Wegmans found a second misconfigured database, which also may have allowed for public access of customers’ personal information. The information stored in these databases included customers’ names, email and mailing addresses, account passwords, and data (checksum values) derived from driver’s licenses. Wegmans determined that the security issue was introduced in 2018, when the databases were configured and left unsecured. Wegmans began notifying customers in June 2021.
The NYAG investigated the security incident and found Wegmans’ data security practices wanting. In particular, the NYAG found, among other things, that Wegmans failed to inventory its cloud assets containing personal information, secure all user passwords, and regularly conduct security testing of its cloud assets. Wegmans also failed to maintain long-term logs of its cloud assets, which made it difficult to investigate security incidents.
The NYAG concluded that Wegmans had violated, inter alia, New York laws regulating data security protections, N.Y. Gen. Bus. § 899-bb, and laws prohibiting deceptive business practices, N.Y. Gen. Bus. § 349; section 899-bb(d) explicitly deems a violation of New York’s data security protections a violation of section 349.
Under the terms of the settlement, Wegmans agreed to pay a $400,000 fine, and create and maintain an Information Security Program in compliance with statutory requirements, including those set forth in section 899-bb. Wegmans must also implement “Personal Information Safeguards and Controls,” including, but not limited to: (1) Cloud asset management; (2) access controls; (3) penetration testing; (4) logging and monitoring of Cloud asset activity; (5) customer password management; (6) vulnerability disclosure program to allow third parties, including security researchers, to detect and alert Wegmans to vulnerabilities; (7) customer account control policies, such as security challenge or re-authentication for account changes; and (8) data deletion. Wegmans is also required to undergo comprehensive, third-party assessments of its Information Security Program and obtain “Third-Party Assessment Reports,” of which the NYAG may request copies.
Unlike cases we have reported on previously, the Wegmans data security incident was not the result of an external threat or cyberattack. Rather, consumer data was compromised by Wegmans’ own data security lapses, which left personal information vulnerable to would-be bad actors. This incident, the NYAG’s subsequent investigation, and the ensuing settlement illustrate the importance of businesses taking preemptive steps to ensure compliance with data security regulations, and implementing safeguards, even with cloud-based databases, to protect the sensitive information with which they are entrusted.