US supermarket giant Wegmans exposed sensitive data

It took Wegmans a month to respond and secure its data after the Website Planet security team’s responsible disclosure.

June 25, 2021

2 minute read

It took Wegmans a month to respond and secure its data after the Website Planet Security Team’s alerted the company about the issue.

In recent news, Wegmans Food Markets, Inc., a private US supermarket chain with 106 stores across the country, exposed sensitive credentials and through a misconfigured Microsoft Azure Blob Storage Server.

The total size of the data exposed was 626 MB and although the total number of records is unknown, it is known that they contained sensitive files with the following types of data:

Backend secrets
Access keys
AES decryption keys
Whitelisted IPs
Deployed files

It is worth noting that backend secrets exposed numerous examples of confidential company information and passwords to company accounts while access keys exposed keys that granted entry to several other servers as well as Wegmans’ SQL database.

Furthermore, exposing AES decryption keys would allow third parties including threat actors to unencrypt other files while exposing deployed files could provide further information about Wegmans’ website.

The server was live at the time of discovery, suggesting the content of the server is current and relevant to Wegmans’ business operations today, Website Planet Security Team wrote in their report.

Considering the fact that the exposed data could give hackers access to Wagmans’ primary SQL database, this leak could potentially affect a large number of people from the customer base but as of right now, it has only affected Wegmans and its business operations.

1: Access keys, 2: AES decryption keys, 3: Passwords in ‘backend secrets.’ Image: Website Planet

The Website Planet security team sent a responsible disclosure to Wegmans on March 10th, 2021 after they discovered the unsecured Azure Blob Storage Server but they did not receive any reply even after several follow-ups.

However, on April 13th, weeks after exposing its server, the company finally responded to the disclosure yet it wasn’t until April 19th that the data was finally secured. It remains unclear if the data was accessed by a third party with malicious intent.

Did you enjoy reading this article? Like our page on Facebook and follow us on Twitter.

The Latest

IT and Cybersecurity Jobs in the Age of Emerging AI Technologies

Tuta Mail (Tutanota) Accuses Google of Censoring Its Search Results

Unlocking the Power of Portfolio Analysis – A Comprehensive Guide

6 Phone Management Tips When Traveling Abroad

US supermarket giant Wegmans exposed sensitive data

It took Wegmans a month to respond and secure its data after the Website Planet Security Team’s alerted the company about the issue.

Xiid SealedTunnel: Unfazed by Yet Another Critical Firewall Vulnerability (CVE-2024-3400)

Global Hack Exposes Personal Data: Implications & Privacy Protection – Axios Security Group

Match Systems report on consequences of CBDC implementation, led by CEO Andrei Kutin

Cypago Announces New Automation Support for AI Security and Governance

Raindex Launches On Flare To Power Decentralized CEX-Style Trading

US supermarket giant Wegmans exposed sensitive data

It took Wegmans a month to respond and secure its data after the Website Planet Security Team’s alerted the company about the issue.

Related Posts