AG James Recovers $400,000 From Wegmans Over Alleged Data Security Lapses

  • New York AG Letitia James reached a $400,000 settlement with grocery store chain Wegmans Food Markets, Inc. to resolve allegations that the personal information of more than three million consumers nationwide was exposed, including more than 830,000 New Yorkers, due to Wegmans’ failures to adopt reasonable data security practices in violation of New York State Executive Law §63(12) and General Business Law §§ 349 and 899-bb.
  • According to the AG’s office, Wegmans became aware in April 2021 that a cloud storage container had been left unsecured and publicly accessible since 2018, and subsequently identified a second exposed database in May 2021. Information including email addresses, account passwords and other sensitive information was left potentially exposed for approximately 39 months, as a result of several failures of Wegman’s data management policies, including access controls, password management, asset management, logging management and data collection and retention. Wegmans began notifying affected customers in June 2021.
  • Under the terms of the Assurance of Discontinuance, Wegmans will pay $400,000 in penalties and will overhaul its security and data management policies—particularly those relating to cloud assets—including but not limited to its asset management practices, penetration testing, centralized logging and monitoring, password policies and procedures for customer accounts, and data collection and retention practices, among other things.