Jump to content
  • US supermarket chain Wegmans notifies customers of data breach

    aum

    • 404 views
    • 3 minutes
     Share


    • 404 views
    • 3 minutes

    US supermarket chain Wegmans notifies customers of data breach

     

    Wegmans Food Markets notified customers that some of their information was exposed after the company became aware that two of its databases were publicly accessible on the Internet because of a configuration issue.

     

    Wegmans is a 106-store major regional supermarket chain with stores in the mid-Atlantic and Northeastern regions (i.e., New York, Pennsylvania, New Jersey, Virginia, Maryland, Massachusetts, and North Carolina).

     

    The store chain was founded in 1916, and it is one of the largest private companies in the US, employing more than 50,000 people.

     

    No payment information exposed in the incident


    "We recently became aware that, due to a previously undiscovered configuration issue, two of our cloud databases, which are used for business purposes and are meant to be kept internal to Wegmans, were inadvertently left open to potential outside access," the supermarket chain said in a press release.

     

    "This issue was first brought to our attention by a third-party security researcher and we then confirmed the configuration problem, beginning on or about April 19, 2021."

     

    After the data breach was discovered, Wegmans hired a leading forensics firm to investigate the incident and correct the database misconfiguration.

     

    Customer information exposed in the data breach included names, addresses, phone numbers, birth dates, Shoppers Club numbers, and Wegmans.com account e-mail addresses and passwords.

     

    However, according to Wegmans, the databases contained only salted password hashes were both hashed and salted, with the actual passwords not being stored in the unsecured databases.

     

    "Social security numbers were not impacted (Wegmans does not collect this information from its customers) nor was any payment card or banking information involved," the company added.

     

    Although all affected Wegmans.com passwords were protected through hashing, as a conservative measure, you can change the password to your Wegmans.com account, as well as for any other account for which you use the same password. It is generally a good idea to use a unique password for each online account you may have. - Wegmans

     

    Credential stuffing attack warning three months earlier


    In late March, the supermarket chain also notified customers of credential stuffing attacks using credentials stolen from other online services and affecting more than 2,7000 accounts in January.

     

    "It is likely that your login credentials were taken from another source, for example, the compromise of another company or website, where you may have used the same or similar login credentials," the company said in a notification letter sent to impacted customers in March.

     

    "This is known as a 'credential stuffing' attack, which can occur when individuals use the same login credentials on multiple websites."

     

    After discovering the incident in mid-February, Wegmans found that the attackers could gain access to names, phone numbers, addresses, dates of birth, and Wegmans Shoppers Club Numbers associated with the compromised Wegmans.com accounts.

     

    Credit or debit card payment information was not exposed in the incident because Wegmans does not store such info on their servers.

     

    Wegmans also blocked the attacker's access by forcing a password reset for all affected accounts to prevent future logins.

     

    Impacted customers were also advised no to use the same credentials (i.e., emails and passwords) for multiple online platforms, including email, banking, social media, and other retailer accounts.

     

    Source


    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...