Although there was no evidence that any bad actor misused or accessed Wegmans’ customer data, the NYAG still pursued enforcement. The NYAG enforcement stands in contrast to private federal class action enforcement, which requires concrete harm to consumers to convey standing—particularly in light of the Supreme Court’s ruling in TransUnion LLC v. Ramirez, discussed in further detail here. The NYAG focused on language in Wegmans’ privacy policy that assured customers that their data privacy was a “top priority” for Wegmans, which the NYAG found deceptive under New York’s consumer protection law.
The Cloud Breach
On April 13, 2021, a “security researcher” informed Wegmans that one of the company’s cloud storage containers hosted on Microsoft Azure was “unsecured and open to public access,” potentially exposing sensitive customer information.1 An investigation by Wegmans revealed that the container had been publicly accessible since its January 2018 creation, and contained over 3 million records of customer email addresses and account passwords.2
On May 12, 2021, Wegmans uncovered a second misconfigured container, likewise vulnerable since its creation in November 2018. This second container housed customer names, email addresses, mailing addresses, as well as checksum values derived from drivers’ license numbers.3 On June 16, 2021, Wegmans began notifying affected customers.
NYAG Identifies Wegmans’ Cloud Vulnerabilities
The NYAG alleged that Wegmans failed its duty to protect customer personal information in the cloud due to deficiencies in five areas:
1. Access Controls – Microsoft Azure cloud containers were not properly configured to limit access at the outset.4
2. Password Management – the company did not properly secure user passwords, choosing to hash them using the outdated SHA-1 hashing algorithm.5 Even though Wegmans had begun transitioning to the more secure PBKDF2 hashing algorithm in 2016, it continued to store passwords with SHA-1.6
3. Asset Management and Security Assessment – Wegmans did not maintain an inventory of the cloud assets containing personal information, nor did it conduct security assessments of cloud databases.7
4. Logging and Monitoring – Wegmans did not maintain long-term logs of its cloud assets in Microsoft Azure, opting to only maintain logs for 30 days. Wegmans also declined to run security tests of cloud assets.8
5. Data Collection and Retention – According to the NYAG, some of the compromised information included checksums derived from customer drivers’ license numbers, despite Wegmans not having a “reasonable business purpose” for indefinitely retaining such information.9 This constituted an unjustifiable retention of unnecessary personal information.10
The NYAG also pointed out that Wegmans’ online privacy policy claimed to make securing customer personal information a “top priority” with “administrative, technical and physical safeguards in place” to protect information.11 The NYAG found that in light of this privacy policy language, Wegmans’ actions were deceptive and unlawful under New York consumer protection law, while its data security practices violated the state’s data security law – the New York SHIELD Act.12
Prescribed Data Security Measures
Without admitting or denying fault, Wegmans has agreed to pay a $400,000 fine and will implement the following cybersecurity measures:
- Build and maintain a complete information security program tailored for the nature and scope of operations, and sensitivity of the information. This program must be reviewed annually, with a qualified individual appointed to take responsibility, and employee training provided.13
- Maintain appropriate asset management practices, including both manual and automated tools to inventory assets in the cloud. This inventory must include the asset name, version, owner and location on the network, along with a criticality rating, any patches or updates, and whether it collects, processes or stores personal information.14
- Establish access control policies and procedures for all cloud assets containing personal information.
- Develop a penetration testing program to identify, assess and remediate vulnerabilities in cloud assets, with one comprehensive test of the company’s cloud environment conducted annually.15
- Establish a centralized system to log and monitor cloud asset activity that includes collection and aggregation of logging for cloud assets, and security monitoring for suspicious activity. Logs must be accessible for a minimum of 90 days and stored for at least one year after logging.16
- Implement password policies and procedures for customer accounts that includes safeguards for unauthorized access and conforms to standards from the National Institute of Standards and Technology (NIST). Within 18 months, implement a program to both inform customers of the benefits of multifactor authentication for accounts, and allow customers to opt in to multifactor authentication.17
- Maintain a program to allow third parties (such as security researchers) to disclose vulnerabilities. This program should be made available on the company website.
- Build policies and procedures for management and authentication of customer accounts, including methods for security challenges and re-authentication for when customers change their account information.18
- Reform data collection and retention practices, restricting collection of customer personal information to cases where there is a reasonable business purpose for collection, and deleting personal information when there is no reasonable business purpose for retaining the information.19
Following up on these measures, Wegmans agreed to have its new information security program undergo a third party assessment and provide the written report to the NYAG, with subsequent annual reviews for three years.
Takeaways
Although a $400,000 fine for a misconfiguration may seem draconian, the Wegmans settlement demonstrates that the NYAG has very specific expectations pursuant to the New York SHIELD Act. This action demonstrates two important points: (1) that companies must build their cybersecurity with not only their network assets in mind, but also assets in the cloud, and (2) the NYAG expects to see specific components representing reasonable security in an information security program, and is willing prescribe them as part of enforcement with or without a showing of concrete harm to consumers. Companies should assess compliance with very specific expectations surrounding access controls, password management, asset management, security assessments for network and cloud assets, log retention and monitoring, and data collection, mapping, and retention. Before deciding on security measures to protect their information however, companies should first begin data mapping to identify the locations where they are storing that information, and ensure that their privacy policies do not overstate their cybersecurity measures.
Please contact a member of Akin Gump’s cybersecurity, privacy and data protection team if you have any questions about this decision or its impact on your company.
1 Investigation by Letitia James, Attorney General of the State of New York of Wegmans Food Markets, Inc., In the Matter of, Assurance No. 21-075 (June 21, 2022), hereinafter “Settlement,” available at https://ag.ny.gov/sites/default/files/ny_ag_wegmans_aod_6-2022_-_fully_executed.pdf.
2 Id. at 2.
3 Id., “checksum values” are created to represent the number of bits in a transmission message, used to check files for integrity.
4 Settlement at 3.
5 A “hashing algorithm” is a mathematical function that scrambles data to make it unreadable.
6 Id. at 3.
7 Id.
8 Id.
9 Id. at 4.
10 See General Business Law § 899-bb, also known as the New York SHIELD Act.
11 Settlement at 4.
12 Id. at 5, See Executive Law § 63(12), General Business Law §§ 349 and 899-bb.
13 Id. at 6.
14 Id. at 7, a “criticality rating” is used to determine how often equipment should be inspected or maintained.
15 Id. at 8.
16 Id.
17 Id. at 9.
18 Id.
19 Id.
