Wegmans Food Markets said it recently discovered and closed a data security hole that had exposed some customer information.
Rochester, N.Y.-based Wegmans announced yesterday that two cloud databases used for internal business purposes were “inadvertently left open to potential outside access” because of a “configuration issue.” The databases included customer names, addresses, phone numbers, birthdates, Shoppers Club numbers and e-mail addresses, but no payment card or banking information or Social Security numbers (which the company doesn’t collect). Wegmans.com account passwords also were exposed but were “hashed” and “salted,” meaning that the actual password characters weren’t contained in the databases, the retailer said.
Wegmans said it first learned of the problem on or around April 19, 2021, and determined that the configuration issue began in 2018. The grocer said it worked with a forensics firm to investigate the issue and its scope, identify the information in the two databases, ensure the systems’ integrity and security, and fix the problem.
“We sent notice because we discovered, originally through a security researcher, that information in the affected databases was inadvertently left open to outside access,” Wegmans said in an email statement late Wednesday. “When we discovered the issue, we worked with leading outside experts to investigate the matter. The investigation was unable to uncover what information may have been actually accessed, if any. We have since corrected configurations and secured all affected information. We have also taken steps to avoid the occurrence of similar issues in the future.”
Any customers who may have been affected by the database issue have been notified, according to Wegmans. However, the company advised customers to update their passwords and said those with questions can call it at (855) 535-1851.
“Although all affected Wegmans.com passwords were protected through hashing, as a conservative measure, you can change the password to your Wegmans.com account, as well as for any other account for which you use the same password,” Wegmans said in a notification of the security incident posted on its website. “It is generally a good idea to use a unique password for each online account you may have.”
Overall, Wegmans operates 106 supermarkets in New York, Pennsylvania, New Jersey, Virginia, Maryland, Massachusetts and North Carolina.