Retail chains operate on thin margins with very tight IT and security budgets, so news on Thursday that Wegmans agreed to pay the state of New York $400,000 and upgrade its cybersecurity operations for a cloud misconfiguration was hardly a shocker to security industry insiders.
According to reports, the breach was identified by an unnamed third-party security researcher in April 2021, who reported that the personal data of more than 3 million Wegmans customers nationwide was exposed. Customer names, email addresses, mailing addresses, Shoppers Club numbers, and usernames and passwords for Wegmans.com accounts were stored in an unsecured cloud storage container and openly exposed as far back as January 2018.
“I’ve worked with retailers on technology infrastructure projects since the 1990s, and the retail industry, especially supermarket chains, operate on extremely thin margins because of the price sensitivities of their customers,” said Aaron Turner CTO, SaaS Protect at Vectra. “As a result, they do not have IT or security budgets that other large organizations might.”
Cloud misconfiguration rears its head
Jonathan Villa, the practice director for cloud security at GuidePoint Security, pointed out that similar data breaches caused by misconfigured resources in the cloud are not as widespread as they once were, a potential reason why the fines were so high. Villa said the cloud service providers have made improvements to their services that bring to light some of the more riskier configurations.
“That doesn't mean the services are any more secure or were less secure before, it simply means there’s more awareness,” Villa said. “It can be argued that if the information about misconfigured resources was available to the cloud customer, it could be a form of negligence. When cloud was new to the industry the root cause was almost always lack of education. Today, there have been major strides made to educate cloud customers.”
Wegmans put out a statement yesterday that said it takes the security of customer information very seriously and immediately remedied the situation once it was discovered. The company said it has improved its processes to better protect customer information in the future.
“While we do not agree with some of the conclusions drawn by the attorney general, we cooperated fully in the investigation and are glad it has been concluded,” Wegmans said in a statement. “This was a configuration issue with two cloud storage containers, and did not involve any other part of the Wegmans network. This type of configuration issue is common, unfortunately, and Wegmans has redoubled its efforts to avoid the issue in the future. There was also no indication that customer data was accessed improperly or otherwise misused. No customer credit card or other sensitive data was involved.”
What cloud service providers can do moving forward
Vectra’s Turner added that Microsoft’s elimination of basic authentication protocols within Exchange Online is a great example of what all cloud providers should do. Turner said the CSPs need to make their cloud technologies secure by default.
“Unfortunately, most cloud PaaS and IaaS platforms have not done this yet,” Turner said. “Hopefully incidents like the Wegmans case will help motivate cloud technology providers to improve their default settings to help their customers better protect themselves from security risks and avoid regulatory problems in the future.”
Tyler Shields, CMO at JupiterOne confirmed that the industry has seen this type of misconfiguration causing massive data breaches nearly monthly over the last three or four years. Shields said the problem with moving services to the cloud is that most enterprises don't have any way of keeping tabs on cloud native resources and ephemeral style components.
“This is exactly what makes the cloud powerful, yet risky to companies building on cloud native technology,” Shields said. “You must have some type of cyber asset inventory system in place to continuously keep tabs on the state and structure of your cloud and SaaS systems. Without it, you end up not knowing what you have out there and by proxy not being able to secure it.”