On June 20, 2022, the New York Attorney General (NYAG) announced a consent agreement (called an Assurance of Discontinuance) with Northeast grocery chain Wegmans for, among other things, violations of the SHIELD Act requirements. Wegmans does not confirm or deny the NYAG’s findings.
In brief, on April 5, 2021, a security researcher contacted Wegmans about a serious flaw the left some of Wegmans’ customers’ personal data available to the public. After receiving no response for a week, he tried again. This time Wegmans responded, and discovered he was right, that a cloud storage container was left unsecured and open to public access, potentially exposing sensitive information. The container had a database backup file with over three million records of customer email addresses and account passwords, the latter of which were hashed and salted. Wegmans concluded the misconfiguration was introduced when the container with the database was set up, back in January 2018. During its investigation, Wegmans found a second misconfigured container, which was also open to public access. This container held names, email addresses, mailing addresses, and checksum values derived from driver’s license numbers. Wegmans believed the misconfiguration was also introduced when the container with the database was set up, this time in November 2018. Wegmans updated the container configurations to prohibit public access on May 12, 2021 and notified consumers.
The NYAG faulted Wegmans on five security areas: access controls, password management, asset management, logging and monitoring, and data collection and retention. With respect to password management and data collection and retention, the consent agreement states:
Password Management: At the time of the Incident, the database backup containing Customer email addresses and passwords contained over 1.8 million passwords that were hashed using the SHA- I hashing algorithm. Given the deficiencies of SHA-I hashing, Wegmans started transitioning users to the PBKDF2 hashing algorithm to secure passwords in 2016, but nevertheless continued to store passwords with SHA- I until January 2020. Users who logged in starting in 2016 would automatically have their password hash updated to use the PBKDF2 algorithm. However, if a user had not logged in between 2016 and the date the database backup file was created, their credentials would still have been stored using the SHA- I format.
Data Collection and Retention: The affected information included checksums derived from Customers’ driver’s license numbers. However, Wegmans did not have a reasonable business purpose for maintaining any form of driver’s license information indefinitely. Checksums are not immune from attack and therefore cannot justify the maintenance of unnecessary Personal Information.
As part of the settlement, Wegmans agreed to pay $400,000, and take a variety of actions frequently seen in security-related consent agreements, such as: a written information security program, asset management (including cloud assets), retention of logs (“Logs for Cloud asset activity should be readily accessible for a period of at least 90 days and stored for at least one year from the date the activity was logged.”), annual penetration testing, an annual third-party assessment for the next 3 years, password policies, and customer account management and authentication. Some of the more unusual requirements are:
- Asset Management: Wegmans shall utilize manual processes and, where practicable, automated tool(s) to regularly inventory and classify, and issue internal reports on, all Cloud assets contained within its Network, including but not limited to all software, applications, network components, databases, data stores, tools, technology, and systems. The asset inventory as well as applicable configuration and change management systems shall, at a minimum, collectively identify: (a) the name of the asset; (b) the version of the asset; (c) the owner of the asset; (d) the asset’s location within the Network; (e) the asset’s criticality rating; (f) whether the asset collects, processes, or stores Personal Information; and (g) each security update and security patch applied or installed during the preceding period.
- Vulnerability Disclosure: Wegmans shall maintain a reasonable vulnerability disclosure program that allows third parties, such as security researchers, to disclose vulnerabilities to Wegmans. Information regarding the vulnerability disclosure program shall be made conspicuously available on the Wegmans website, including without limitation, in the Wegmans Privacy Policy and/or Terms of Use.
- Data Collection: Wegmans shall not collect Personal Information from any Customer without a reasonable business purpose for such collection.
- Data Deletion: Wegmans shall establish and maintain appropriate policies and procedures to ensure Personal Information is deleted when there is no reasonable business purpose to retain such Personal Information. For Personal Information collected prior to the Effective Date of this Assurance, Wegmans shall permanently delete Private Information for which no reasonable business purpose exists within ninety (90) days of the Effective Date and shall permanently delete all other Personal Information for which no reasonable business purpose exists within two hundred forty (240) days of the Effective Date.
(In New York, the state breach notification law defines “Private Information” in General Business Law § 899-aa, and the consent agreement uses the same definition. As for Personal Information, the consent agreement defines the term “”Personal Information” as “information that can be used to identify a Customer, including name, home or other physical address, email address, phone number, account password, Social Security number, government ID number including driver’s license number, bank account number, credit or debit card number, or any Private Information.”)
Our Take
As we pointed out in our previous post on a SHIELD Act settlement, this settlement shows regulators’ growing and continued emphasis on reasonable record retention and data disposition. Record retention often plays second-fiddle in data security and privacy compliance programs, but the theft of old, unused personal information is something that regulators can quickly identify. A mere retention policy and schedule that employees are not meaningfully following is unlikely to shield an organization from regulatory scrutiny.
Even hashing and salting apparently won’t help a SHIELD Act claim if a company had no business justification to having the data in the first place. Your record retention policy is only part of a “minimum necessary” policy that minimize the amount of personal data collected, which would also help decrease the cost of protecting that personal data—and help minimize any regulatory fines in the event that data is breached.
In addition, note that New York has required the company to make a vulnerability disclosure program “conspicuously available” through its website. Security researchers and companies that have their own threat intelligence programs received some clarity in May from the U.S. Department of Justice (DOJ) regarding the federal anti-hacking law known as the Computer Fraud and Abuse Act (CFAA). The DOJ announced revisions to its charging policy on violations of the CFAA. The policy for the first time directs Justice Department attorneys to not bring CFAA charges for “good faith security research.” The policy also clarifies that the DOJ will not prosecute cases for “exceeding authorized access” although prosecutions for “unauthorized access” have not changed.
