Another company was caught in a cloud misconfiguration issue as Wegmans Food Markets on Thursday notified its customers that two of its cloud databases were left open to potential outside access.
In a notice released to its customers, Wegmans said the type of customer information included names, addresses, phone numbers, birth dates, Shoppers Club numbers, and email addresses and passwords for access to Wegmans.com accounts.
Wegmans said all impacted Wegmans.com account passwords were hashed and salted, so the actual password characters were not contained in the databases. The company said social security numbers were not impacted, as Wegmans does not collect that information, and no payment card or banking information was involved.
The cloud misconfiguration was first brought to the food retailer’s attention by third-party security researchers and then the company confirmed the configuration issue on or about April 19. Wegmans then worked with a leading forensics firm to investigate the incident’s scope, identify the information in the two cloud databases, ensure the integrity and security of the systems, and fix the issue.
News of a cloud misconfiguration at Wegmans serves as yet another example of the complexity of IT systems as organizations migrate to the cloud, said Rick Tracy, CSO at Telos Corporation. Tracy said companies really need to understand the shared security model of the cloud providers.
“You must know what security functions are provided by the cloud vendor versus what cloud users are responsible for,” Tracy said. “Generally speaking, users should expect to secure data that they store in the cloud by implementing protective controls such as strong authentication, preferably multi-factor authentication and encryption.”
Tim Wade, technical director, CTO Team at Vectra, added that the ability to detect and respond in real time has become an essential part of modern security. Wade said misconfiguration issues are not going away any time soon, which means customers that rely on everything being 100% correct will be sorely disappointed when reality strikes.
“Companies need a holistic approach to security,” Wade said. “Yes, minimizing misconfiguration and hardening services is part of that holistic approach, but until organizations have a plan to identify the breach in real-time, this type of activity will continue.”