22 June 21, 12:59
Quote:Wegmans Food Markets, the U.S. supermarket chain, has notified customers that some of their data was exposed because two of its cloud-based databases were misconfigured, making them publicly accessible online.
In a publicly posted breach notification letter, Wegmans said that the issue was first brought to the company’s attention when a third-party security researcher pointed out the configuration problem. Then, “on or about” April 19, Wegmans confirmed the issue.
It’s not clear whether April 19 is when the issue was reported to Wegmans, when the databases were left open to public access, or whether that’s just when Wegmans confirmed that they were exposed. Likewise, it’s not clear whether or not customers’ data was left in open databases months or even years before it was reported and/or confirmed. Threatpost has contacted Wegmans for clarification.
“We recently became aware that, due to a previously undiscovered configuration issue, two of our cloud databases, which are used for business purposes and are meant to be kept internal to Wegmans, were inadvertently left open to potential outside access,” the letter stated.
The databases contained customer information including names, addresses, phone numbers, birth dates, Shoppers Club numbers, as well as e-mail addresses and passwords for access to Wegmans.com accounts. The company added that all of the affected account passwords were salted and hashed, meaning that the actual passwords were obscured, not viewable in the databases.
Read more: Wegmans Exposes Customer Data in Misconfigured Databases | Threatpost