Wegmans Grocery Store Suffers Another Data Breach

 Wegmans, a national grocery store chain, recently notified its customers that some information might have been exposed in a data breach.

What Happened?

Bleeping Computer reports that, “Wegmans is a 106-store major regional supermarket chain with stores in the mid-Atlantic and Northeastern regions (i.e., New York, Pennsylvania, New Jersey, Virginia, Maryland, Massachusetts, and North Carolina).” The grocery store was founded in 1916 and has 50,000 employees.

The company recently discovered that two of its databases were publicly accessible due to a configuration issue and thus notified customers of the data breach.

Wegmans told the press,

“We recently became aware that, due to a previously undiscovered configuration issue, two of our cloud databases, which are used for business purposes and are meant to be kept internal to Wegmans, were inadvertently left open to potential outside access.”

“This issue was first brought to our attention by a third-party security researcher, and we then confirmed the configuration problem, beginning on or about April 19, 2021.”

How Did Wegmans Respond?

Immediately upon discovering the data breach, the grocery retail giant hired a prominent cybersecurity firm to perform a forensic investigation and help secure the data.

However, the damage is already done. Wegmans notified customers that some of the information that could have been exposed to hackers includes names, addresses, phone numbers, birth dates, Shoppers Club numbers, and Wegmans.com account email addresses and passwords.

Wegmans assured customers that their passwords stored in the database were hashed and salted, not stored in plain text, making them harder to decrypt and use.

A company spokesperson said, “Social security numbers were not impacted (Wegmans does not collect this information from its customers) nor were any payment card or banking information involved.”

In their public statement, Wegmans recommended to customers, ”Although all affected Wegmans.com passwords were protected through hashing, as a conservative measure, you can change the password to your Wegmans.com account, as well as for any other account for which you use the same password. It is generally a good idea to use a unique password for each online account you may have.”

Not the First Attack

Three months prior (in late March), Wegmans had to notify customers of a credential stuffing attack affecting 27,000 customers. The attack was aimed at their online services. Wegmans’ public notification in March stated that “It is likely that your login credentials were taken from another source, for example, the compromise of another company or website, where you may have used the same or similar login credentials.”

“This is known as a ‘credential stuffing’ attack, which can occur when individuals use the same login credentials on multiple websites.”

This attack was discovered in late February, and the company found that hackers gained access to customers’ names, phone numbers, addresses, dates of birth, and Wegmans Shoppers Club Numbers associated with the compromised Wegmans.com accounts.

Thankfully, Wegmans does not store credit, debit, or payment card information on their online servers, and therefore, that information was not compromised. After the credential stuffing attack, Wegmans forced a password reset for all their customers.

How Can Customers Stay Safe?

In its disclosure to customers, Wegmans urged customers not to reuse passwords on multiple websites/accounts. Some other tips to stay safe while using online services include:

• Always use very strong, long passwords.
• Install and use antivirus/anti-malware software on all devices.
• Turn on two-factor authentication whenever you can.
• Never share personal information online when unsolicited.
• Watch out for phishing emails and scam calls.
• Never click links or download attachments in emails.
• Regularly monitor all bank and credit card statements looking for any suspicious activity.
• Sign up for identity monitoring to keep all your accounts and personal information safe.