Wegmans cloud databases exposed

Supermarket says a previously undiscovered configuration issue led to two databases being left open

Buffalo, NY (WBEN) Wegmans is warning customers two of its cloud databases, intended for internal use, were left inadvertently open to potential outside access.

One expert tells WBEN he considers it a low-level potential breach.

In a letter to customers, Wegmans says "We recently became aware that, due to a previously undiscovered configuration issue, two of our cloud databases, which are used for business purposes and are meant to be kept internal to Wegmans, were inadvertently left open to potential outside access. Certain customer information, outlined below, was contained in these databases. This issue was first brought to our attention by a third-party security researcher and we then confirmed the configuration problem, beginning on or about April 19, 2021. We then worked diligently with a leading forensics firm to investigate and determine the incident’s scope, identify the information in the two databases, ensure the integrity and security of our systems, and correct the issue."

Cybersecurity expert Arun Vishwanath says some of the data they're talking about are shoppers club information, including names, and what's linked to the shoppers club number. "The claim is a misconfiguration, and these were potentially exposed," says Vishwanath. "We don't know if someone took it, but someone could have taken it."

Vishwanath says this follows a previous breach in February, where information of 3,000 people was compromised. "I'm not sure if the two are related, but I can't see why they can't be," says Vishwanath. He says the recent one is a low-level potential breach compared to what happened in February.

How could this affect you? "People tend to re-use passwords and prompt information. If you're reusing your password in another accounts, one of the first problems you'll have is they can use that to access other accounts, and that's what happened in February at Wegmans," says Vishwanath. "A lot of data in the wrong hands or a hacker sending you a phishing email now know what you buy, what your interests are and what your field is."

Wegmans says all impacted Wegmans.com account passwords were, in technical terms, “hashed” and “salted,” meaning that the actual password characters were not contained in the databases. Social security numbers were not impacted (Wegmans does not collect this information from its customers) nor was any payment card or banking information involved.