The Rochester-based supermarket chain Wegmans, which has a store in Harrison and plans to open its first Connecticut store in Norwalk, has reached a settlement in an investigation by New York Attorney General Letitia James over its handling of customers”™ data. The investigation found that data from up to three million Wegmans customers had been largely unsecured for up to 39 months.
Wegmans agreed to pay a $400,000 fine and institute new security measures for protecting customer data. The personal information that had been exposed to possible hackers and anyone else able to tap into Wegmans data storage system included customer names, email addresses, mailing addresses, information based on driver”™s license numbers and passwords for Wegmans accounts. Some of the data had been exposed for as long 39 months.
According to James, information relating to the accounts of more than 830,000 New Yorkers was among the material that had not been thoroughly secured and was left open for public access.
According to the settlement, Wegmans was first notified of the security issue in an April 5, 2021, email from a security researcher. The researcher found that in storing data on the Microsoft Azure system, Wegmans had not properly secured a data storage area allowing anyone to gain access. A month later, Wegmans discovered that a second data storage container also had not been properly configured. In June 2021, Wegmans began notifying affected consumers whose personal information was compromised.
“Wegmans failed to safely store and seal its consumers”™ personal information; instead it left sensitive information out in the open for years,” James said. “Today, Wegmans is paying the price for recklessly handling and exposing millions of consumers”™ personal information on the internet. In the 21st century, there”™s no excuse for companies to have poor cybersecurity systems and practices that hurt consumers.”
In the settlement, Wegmans says that it already has “evaluated, improved upon, and adjusted the Information Security Program in light of the incident.” It also has agreed to update its data collection and retention practices, including only collecting a customer”™s personal information when there is a reasonable business purpose for collection.
Wegmans also agrees that when it collects new information, it will only keep it as long as there’s a reasonable business purpose for doing so. For information collected prior to the  settlement, Wegmans has agreed to permanently delete all personal information for which no reasonable purpose exists to keep it.
