Wegmans Food Markets notified customers that some of their information was exposed after the company became aware that two of its databases were publicly accessible on the Internet because of a configuration issue.
Wegmans is a 106-store major regional supermarket chain with stores in the mid-Atlantic and Northeastern regions (i.e., New York, Pennsylvania, New Jersey, Virginia, Maryland, Massachusetts, and North Carolina).
The store chain was founded in 1916, and it is one of the largest private companies in the US, employing more than 50,000 people.
We recently became aware that, due to a previously undiscovered configuration issue, two of our cloud databases, which are used for business purposes and are meant to be kept internal to Wegmans, were inadvertently left open to potential outside access,” the supermarket chain said in a press release.
“This issue was first brought to our attention by a third-party security researcher and we then confirmed the configuration problem, beginning on or about April 19, 2021.”
After the data breach was discovered, Wegmans hired a leading forensics firm to investigate the incident and correct the database misconfiguration.
Customer information exposed in the data breach included names, addresses, phone numbers, birth dates, Shoppers Club numbers, and Wegmans.com account e-mail addresses and passwords.
However, according to Wegmans, the databases contained only salted password hashes were both hashed and salted, with the actual passwords not being stored in the unsecured databases.
“Social security numbers were not impacted (Wegmans does not collect this information from its customers) nor was any payment card or banking information involved,” the company added.