US supermarket chain Wegmans discloses data breach

The supermarket chain Wegmans US Wegmans discloses a data breach, customers information was exposed on the Internet due to a misconfiguration issue.

Wegmans Food Markets disclosed a data breach, the supermarket chain notified customers that some of their information was exposed as a result of the accidental availability online of two of its databases due to a configuration issue.

Wegmans Food Markets, Inc., is a privately held American supermarket chain with 106 stores in the mid-Atlantic and Northeastern regions. In 2020, the company was ranked at number three on the Fortune List of the Top 100 Companies to Work For in 2020 based on an employee survey of satisfaction, currently, it has more than 50,000 employees.

“We recently became aware that, due to a previously undiscovered configuration issue, two of our cloud databases, which are used for business purposes and are meant to be kept internal to Wegmans, were inadvertently left open to potential outside access. Certain customer information, outlined below, was contained in these databases.” reads a press release published by the company.

The company became aware of the issue after a security researcher reported it, then Wegmans launched an investigation into the incident and hired a leading forensics firm to secure the misconfiguration.

Exposed data include customers’ names, addresses, phone numbers, birth dates, Shoppers Club numbers, as well as e-mail addresses and Wegmans.com account passwords. The company pointed out that account passwords were “hashed” and “salted,” while actual passwords were not contained in the databases.

“Although all affected Wegmans.com passwords were protected through hashing, as a conservative measure, you can change the password to your Wegmans.com account, as well as for any other account for which you use the same password. It is generally a good idea to use a unique password for each online account you may have.” continues the press release.

Financial data and customers’ social security numbers were not exposed because the company does not collect this type of information.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, data breach)

[adrotate banner=”5″]

[adrotate banner=”13″]