Wegmans Settles With NYAG for $400,000 Over Data Incident

The New York Attorney General recently announced a data security-related settlement with Wegmans Food Markets. The issue arose in April 2021 regarding a cloud-based incident. At that time a security researcher notified Wegmans that the company had an Azure cloud storage container that was unsecured. Upon investigation, the company determined that the container had been misconfigured and that three million customer records had been publicly accessible since 2018. The records included email addresses and account passwords.

Of concern for the AG, among other things, were that the passwords were salted and hashed using SHA-1 hashing, rather than PBKDF2. Similarly, the AG found concerning the fact that the company did not have an asset inventory of what it maintained in the cloud. As a result, no security assessments were conducted of its cloud-based databases. The NYAG also took issue with the company’s lack of long-term logging: logs for its Azure assets were kept for only 30 days. Finally, the company kept checksums derived from customer driver’s license information, something for which the NYAG did not feel the company had a “reasonable business purpose” to collect or maintain.

The NYAG argued that these practices were both deceptive and unlawful in light of the promises Wegman’s made in its privacy policy. It also felt that the practices were a violation of the state’s data security law. As part of the settlement, Wegmans agreed to pay $400,000. It also agreed to implement a written information security program that addresses, among other things:

  1. asset management that covers cloud assets and identifies several items about the asset, including its owner, version, location, and criticality;
  1. access controls for all cloud assets;
  1. penetration testing that takes into account cloud assets, and includes at least one annual test of the cloud environment;
  1. central logging and monitoring for cloud assets, including keeping cloud logs readily accessible for 90 days (and further stored for a year from logged activity);
  1. customer password management that includes hashing algorithms and a salting policy that is at least commensurate with NIST standards and “reasonably anticipated security risks;” and
  1. policies and procedures around data collection and deletion.

Wegmans agreed to have the program assessed within a year of the settlement, with a written report by the third-party assessor provided to the NYAG. It will also conduct at-least-annual reviews of the program. As part of that review it will determine if any changes are needed to better protect and secure personal data.

Putting It Into Practice: This case is a reminder for companies to think not only about assets on its network, but its cloud assets, when designing a security program. Part of these efforts include clearly identifying locations that house personal information (as defined under security and breach laws) and evaluating the security practices and controls in place to protect that information. The security program elements the NYAG has asked for in this settlement signal its expectations of what constitutes a reasonable information security program.

Copyright © 2022, Sheppard Mullin Richter & Hampton LLP.

Data Privacy Day 2013 – Passwords

The National Law Review recently featured an article on Passwords written by Cynthia J. Larose with Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C.:

MintzLogo2010_Black

 

Something everyone can do for Data Privacy Day:  make it a point to change at least one password and make it “long and strong.”

Here are some tips for building strong passwords from David Sherry, Chief Information Security Officer at Brown University:

To create a strong password, you should use a string of text that mixes numbers, letters that are both lowercase and uppercase, and special characters. Best practice says it should be eight characters, but the more the better. The characters should be random, and not follow from words, alphabetically, or from your keyboard layout.

So how do you make such a password?

Spell something backwards. Example: Turn “New York” into “ kroywen ”

Use “l33t speak”: Substitute numbers for certain letters.  Example: Turn “kroywen” into kr0yw3n

Randomly throw in some capital letters.  Example: Turn “kr0yw3n” into Kr0yW3n

Don’t forget the special character.  Example: Turn “Kr0yW3n” into       !Kr0y-W3n$

So, you say you can’t remember “complex” passwords…

One suggestion: create one, very strong, password and “append” it with an identifier:

!Kr0y-W3n$Bro

!Kr0y-W3n$Ama

!Kr0y-W3n$Boa

!Kr0y-W3n$Goo

!Kr0y-W3n$Yah

©1994-2013 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C.

Privacy Funny

The National Law Review is pleased to bring you this funny brought to our attention by Cynthia LaRose of Mintz, Levin, Cohn, Ferris, Clovsky, and Popeo PC: