A supermarket. Image by Velela. Creative Commons., (CC BY-SA 3.0)
Wegmans Food Markets has notified customers that some of their information was exposed after the company became aware that two of its databases were publicly accessible on the Internet because of a configuration issue.
Wegmans is a 106-store major regional supermarket chain with stores in the mid-Atlantic and Northeastern regions (covering New York, Pennsylvania, New Jersey, Virginia, Maryland, Massachusetts, and North Carolina).
According to the food retailer: “We recently became aware that, due to a previously undiscovered configuration issue, two of our cloud databases, which are used for business purposes and are meant to be kept internal to Wegmans, were inadvertently left open to potential outside access.”
This is of concern because major retailers, such as grocery chains, collect large volumes of customer data. By seeking the best prices, consumers tend to give up sensitive personal information in order to obtain a loyalty card. This is the form of data that many threat actors seek.
It is apparent from the supermarket chain that customer information was exposed in the data breach. The data exposed included names, addresses, phone numbers, birth dates, Shoppers Club numbers, and Wegmans.com account e-mail addresses and passwords.
Looking at the matter for Digital Journal is Pravin Rasiah, VP of Product, CloudSphere.
Rasiah places the weakness with the company, its weak security and reliance upon cloud computing.
Rasiah says: “Awareness within the cloud environment is crucial to preventing data leaks such as this one. Businesses who choose to store sensitive customer information in the cloud are responsible for ensuring that misconfigurations do not occur, and information stays secure.”
Such matters require swift and decisive resolution, says Rasiah. He recommends: “To protect brand reputation and keep customers safe, a cloud governance platform providing ongoing monitoring across the cloud landscape is vital to ensuring configuration errors are discovered quickly.”
The consequence of this more protective form of action is, says Rasiah: “With the ability to identify and remediate risks in real time, businesses can stay apprised of security risks before it’s too late.”