Local News
New York Attorney Genera obtains 400K from Wegmans
Rochester, New York — On Thursday, New York Attorney General Letitia James secured $400,000 from Wegmans, in connection to a cloud storage data breach that affected millions of customers last year.
A security researcher informed the grocery store of a cloud storage container that was left unsecured in April last year, according to state documents.
The container consisted of mailing addresses, passwords, and names belonging to more than three million customers nationwide. Wegman officials at the time said databases used to store internal information were “inadvertently left open to potential outside access.”
As a result of the state’s investigation, Wegmans will pay New York $400,000 in penalties.
“Wegmans failed to safely store and seal its consumers’ personal information, instead it left sensitive information out in the open for years,” said Attorney General James. “Today, Wegmans is paying the price for recklessly handling and exposing millions of consumers’ personal information on the internet. In the 21st century, there’s no excuse for companies to have poor cybersecurity systems.”
In addition to its penalty, officials are required to adopt new security measures to ensure future breaches can be avoided. Upgrades to the store’s internal information security include the following:
• Maintaining a comprehensive information security program that includes regular updates to keep pace with changes in technology and security threats and reporting security risks to the company’s leadership;
• Maintaining appropriate asset management practices, including maintaining an inventory of all cloud assets;
• Establishing policies and procedures to ensure all cloud assets containing personal information have appropriate access controls to limit access to such information;
• Developing a penetration testing program that includes at least one annual comprehensive penetration test of Wegmans’ cloud environment;
• Implementing centralized logging and monitoring of cloud asset activity, including logs that are readily accessible for a period of at least 90 days and stored for at least one year from the date the activity was logged;
• Establishing appropriate password policies and procedures for customer accounts, including hashing stored passwords with a hashing algorithm and salting policy commensurate with NIST standards, encouraging customers to use strong passwords, educating customers on the benefits of multifactor authentication, and prohibiting password reuse;
• Maintaining a reasonable vulnerability disclosure program that allows third parties, such as security researchers, to disclose vulnerabilities;
• Establishing appropriate practices for customer account management and authentication, including notice, a security challenge, or re-authentication for account changes; and,
• Updating its data collection and retention practices, including only collecting a customer’s personal information when there is a reasonable business purpose for the collection and deleting personal information when there is no longer a reasonable business purpose to retain such information — for information collected prior to the effective date of the agreement, Wegmans will permanently delete all personal information for which no reasonable purpose exists within 240 days of the effective date.
-
New York1 week ago
Due to the bird flu, New York has added new, temporary regulations for the import of dairy cattle
-
Local News1 week ago
Friends and family assemble to honor the victim of the Driving Park Bridge hit-and-run
-
Local News3 days ago
The people of Rochester come together to honor Reverend Iris J. Banister’s life and legacy
-
Local News2 weeks ago
22 exotic animals left behind in a downtown Rochester building following the eviction of the tenant
-
Local News2 weeks ago
By April 29, RCSD intends to name an interim superintendent
-
Local News2 weeks ago
With the help of her kids, a Rochester teacher runs the Boston Marathon
-
Local News2 weeks ago
This weekend, there will be cleanup events in the Rochester region
-
Local News5 days ago
Former Rochester spa owner charged with leveraging company to engage in prostitution around WNY