NICK ZAPPIA

Get our email updates

Stay up-to-date on the companies, people and issues that impact businesses in Syracuse, Central New York and beyond.

NICK ZAPPIA has been promoted from account manager to director of account service at ABC Creative. In this role, he will continue to manage his current accounts, but also oversee the account management team to ensure customers receive great service. A SUNY Cortland graduate, Zappia came to ABC after several years of working on the […]

Already an Subcriber? Log in

Get Instant Access to This Article

Become a Central New York Business Journal subscriber and get immediate access to all of our subscriber-only content and much more.

Learn More and Become a Subscriber

PAUL J. TORTORA, JR.

People on the Move, Subscriber Only

PAUL J. TORTORA, JR. has joined Tully Rinckey PLLC’s Syracuse office as an associate attorney. He focuses his practice on education and family and matrimonial law. Tortora previously served as a staff attorney at the Hiscock Legal Aid Society in Syracuse, where he provided representation in divorce proceedings and other family-law matters including, custody, domestic

Already an Subcriber? Log in

Get Instant Access to This Article

Become a Central New York Business Journal subscriber and get immediate access to all of our subscriber-only content and much more.

Learn More and Become a Subscriber

Bousquet Holstein PLLC

People on the Move, Subscriber Only

DIANA G. ROGATCH has joined Bousquet Holstein PLLC in its brownfield practice group. She is returning to the law firm after taking part in the 2021 class of summer associates, where she assisted with tax, business, and litigation matters. Her experience includes working as a litigation paralegal for a mid-size law firm in Boston for

Already an Subcriber? Log in

Get Instant Access to This Article

Become a Central New York Business Journal subscriber and get immediate access to all of our subscriber-only content and much more.

Learn More and Become a Subscriber

Fiber Instrument Sales, Inc.

People on the Move, Subscriber Only

Fiber Instrument Sales, Inc. (FIS), a manufacturer and distributor of fiber-optic components and test equipment, recently announced the promotion of SALVATORE BATTAGLIA to director of marketing. He holds a bachelor’s degree in professional and technical communications from SUNY Polytechnic Institute and dual-associate degrees from Mohawk Valley Community College in both computer information systems and web

Already an Subcriber? Log in

Get Instant Access to This Article

Become a Central New York Business Journal subscriber and get immediate access to all of our subscriber-only content and much more.

Learn More and Become a Subscriber

Research & Marketing Strategies, Inc.

People on the Move, Subscriber Only

Research & Marketing Strategies, Inc. (RMS) recently added JAMES FLEMING as a health-care transformation specialist. As an integral member of the RMS Healthcare Division, his primary responsibility is to provide targeted health-care consulting by partnering with clients seeking to achieve and maintain Patient-Centered Medical Home Recognition, as well as other health-care transformation projects. Fleming works

Already an Subcriber? Log in

Get Instant Access to This Article

Become a Central New York Business Journal subscriber and get immediate access to all of our subscriber-only content and much more.

Learn More and Become a Subscriber

DURELL CULL

People on the Move, Subscriber Only

DURELL CULL has been appointed track and field head coach/athletic specialist at Mohawk Valley Community College (MVCC). He has worked at MVCC since 2013 in a variety of part-time positions, including assistant sprint coach, adjunct instructor, technical assistant, head cross country coach, and head track and field coach. Prior to joining the college, Cull served

Already an Subcriber? Log in

Get Instant Access to This Article

Become a Central New York Business Journal subscriber and get immediate access to all of our subscriber-only content and much more.

Learn More and Become a Subscriber

Wegmans pays $400K penalty after data breach exposed customer information

Law, Accounting & Taxes, Subscriber Only, Technology

Grocery store chain Wegmans is paying $400,000 in penalties to New York State after its data breach exposed the personal information of more than 3 million consumers nationwide, including more than 830,000 New Yorkers. Wegmans is also required to upgrade its data-security practices to protect consumers, New York Attorney General Letitia James said in a

Already an Subcriber? Log in

Get Instant Access to This Article

Become a Central New York Business Journal subscriber and get immediate access to all of our subscriber-only content and much more.

Learn More and Become a Subscriber

Wegmans is also required to upgrade its data-security practices to protect consumers, New York Attorney General Letitia James said in a June 30 announcement.

“For years,” Wegmans kept consumers’ personal information in “misconfigured” cloud storage containers that were open, making it easy for hackers or others to potentially access the information, James’ office said.

The compromised data included usernames and passwords for Wegmans accounts, along with customers’ names, email addresses, mailing addresses, and additional data derived from drivers’-license numbers.

“Wegmans failed to safely store and seal its consumers’ personal information, instead it left sensitive information out in the open for years,” James said. “Today, Wegmans is paying the price for recklessly handling and exposing millions of consumers’ personal information on the internet. In the 21st century, there’s no excuse for companies to have poor cybersecurity systems and practices that hurt consumers.”

Probe details

In April 2021, a security researcher informed Wegmans that a cloud-storage container hosted on Microsoft Azure was left unsecured and open to public access, “potentially exposing” consumers’ sensitive information, James’ office said.

Wegmans “immediately reviewed” its cloud environment and identified the container, which had a database backup file with over 3 million records of customer email addresses and account passwords. The container was misconfigured from its creation in January 2018 until April 2021.

During that time, an unauthorized actor could have accessed and cracked account credentials, using them to log into customers’ Wegmans accounts or to access consumers’ accounts on a different website if the customers had reused their passwords.

In May 2021, Wegmans discovered a second cloud-storage container that was also misconfigured. The storage container, which was left publicly accessible since it was set up in November 2018, housed a database that included customers’ names, email addresses, mailing addresses, and additional data derived from drivers’-license numbers.

In June 2021, Wegmans began notifying affected consumers whose personal information was compromised during the incident.

James’ office determined that, in addition to failing to appropriately configure the cloud-storage containers to limit access to its contents, at the time of the incident, Wegmans failed to inventory its cloud assets containing personal information, secure all user passwords, and regularly conduct security testing of its cloud assets.

In addition, Wegmans maintained checksums derived from customers’ driver’s license numbers “without a reasonable business purpose” to maintain any form of driver’s license information “indefinitely.”

Wegmans also failed to maintain long-term logs of its cloud assets, which made it “difficult to investigate security incidents,” James’ office said.

Protection measures

Besides the $400,000 in penalties, Wegmans must also adopt new measures to protect consumers’ personal information going forward.

The company must maintain a “comprehensive” information-security program that includes regular updates to keep pace with changes in technology and security threats and reporting security risks to the company’s leadership.

It must also maintain appropriate asset-management practices, including maintaining an inventory of all cloud assets.

Wegmans will also establish policies and procedures to ensure all cloud assets containing personal information have appropriate access controls to limit access to such information. It will also develop a penetration-testing program that includes at least one annual “comprehensive” penetration test of Wegmans’ cloud environment.

In addition, Wegmans is implementing centralized logging and monitoring of cloud-asset activity, including logs that are readily accessible for a period of at least 90 days and stored for at least one year from the date the activity was logged.

The grocery-store chain is also establishing appropriate password policies and procedures for customer accounts, including hashing stored passwords with a hashing algorithm and salting policy commensurate with NIST standards, encouraging customers to use strong passwords, educating customers on the benefits of multifactor authentication, and prohibiting password reuse.

Wegmans is also maintaining a “reasonable” vulnerability-disclosure program that allows third parties, such as security researchers, to disclose vulnerabilities. It’s also establishing appropriate practices for customer-account management and authentication, including notice, a security challenge, or re-authentication for account changes.

The company is also updating its data collection and retention practices, including only collecting a customer’s personal information “when there is a reasonable business purpose for collection and deleting personal information when there is no longer a reasonable business purpose to retain such information. For information collected prior to the effective date of the agreement, Wegmans will permanently delete all personal information for which no reasonable purpose exists within 240 days of the effective date,” James’ office said.

Wegmans reaction

In a company statement, Wegmans says it takes security of customer information “very seriously and immediately remedied the situation once it was discovered.”

“We have improved our processes to better protect customer information in the future. While we do not agree with some of the conclusions drawn by the attorney general, we cooperated fully in the investigation and are glad it has been concluded,” Wegmans said. “This was a configuration issue with two cloud storage containers, and did not involve any other part of the Wegmans network. This type of configuration issue is common, unfortunately, and Wegmans has redoubled its efforts to avoid the issue in the future. There was also no indication that customer data was accessed improperly or otherwise misused. No customer credit card or other sensitive data was involved.”

Cybersecurity resilience focuses on staying operational

Regional News, Small Business, Subscriber Only, Technology

UTICA, N.Y. — A growing mindset in the world of cybersecurity is cybersecurity resilience, which is the idea that hacks are inevitable, so businesses need to figure out how to remain operational when those hacks happen. According to the National Institute of Standards and Technology (NIST), cybersecurity resilience is the ability to anticipate, withstand, recover

Already an Subcriber? Log in

Get Instant Access to This Article

Become a Central New York Business Journal subscriber and get immediate access to all of our subscriber-only content and much more.

Learn More and Become a Subscriber

According to the National Institute of Standards and Technology (NIST), cybersecurity resilience is the ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on systems that use or are enabled by cyber resources.

“Cybersecurity is in the headlines every day,” says Alex MacDiarmid, director of advanced programs at Quanterion Solutions, Inc. in Utica. That resilience element is all about how a business can continue to perform its essential functions if and when a cyber attack happens.

It’s almost impossible to develop a cybersecurity plan that prevents all attacks, says Cully Patch, senior program manager for cybersecurity and intelligence at Quanterion. That’s because the functionality of a system is inversely connected to its security. In other words, the more secure a system is, the less functional it is.

Businesses need to find that sweet spot in between, he says, where systems are well protected but are still functional enough for employees to do their jobs. They also need to fine tune their resilience plan, he adds.

In the ever-growing digital age, it really is crucial. According to Quanterion, there are 14.4 billion active “internet of things” devices, with that number growing about 18 percent annually. Internet of things means devices with sensors, processing ability, software, or some form of technology that connects it to the internet or other communication network. This can include anything from machinery in a factory or hospital to smartwatches and other wearables and, of course, the phones and computers we use in our everyday personal and work lives.

Ransomware remains a popular choice for hackers going after businesses. The workday is humming along and all of a sudden, a message pops up on computer after computer on the business’ network. Hackers have control of the network — and all the data and programs on it — effectively griding business to a halt.

That’s where the resilience plan comes into play, MacDiarmid says. Many times, companies just pay the ransom. “The bad thing about all that is even if you pay the ransom … it doesn’t unlock as fast as it locks,” he notes. Plus, the business is out the ransom money.

Other downsides of being the victim of a cyber attack can include damage to the business reputation, loss of revenue, and even fines in some cases, MacDiarmid notes.

One example of resilience that’s a better solution, he says, is having routine backups to which the company can revert back. Rather than pay the hackers, the company can simply revert back to the most recent backup. Some work may be lost, but the business isn’t at the mercy of hackers and can continue to operate.

Another option is to separate business systems so they can operate independently from each other, MacDiarmid adds. That way, if one area is compromised, the rest of the business can continue to function.

In order to produce a plan for resiliency, there are five key cyber functions that come into play, MacDiarmid says. They are identify, protect, detect, respond, and recover.

Within those functions are basic things such as strong antivirus programs, company protocols regarding passwords, and good cyber hygiene practices (keeping software up to date, removing outdated users, etc.) as well as more-advanced actions such as monitoring network activity for anomalies, diagramming the network, and developing an incident response plan for distinct types of incidents, Patch and MacDiarmid say.

NIST’s Small Business Cybersecurity Corner offers a number of planning tools to assist businesses that may not have an in-house cybersecurity person or the means to employ an outside firm.

AIS wins AFRL contract

Manufacturing & Engineering, Regional News, Subscriber Only, Technology

ROME, N.Y. — Assured Information Security, Inc. (AIS) recently landed an Agile Cyber Technology 3 (ACT 3) contract, a $950 million indefinite-delivery/indefinite-quantity (IDIQ) pact from the Air Force Research Laboratory (AFRL). Both organizations are located in the Griffiss Business and Technology Park in Rome. The contract for technical documentation, technical reports, software, and hardware serves

Already an Subcriber? Log in

Get Instant Access to This Article

Become a Central New York Business Journal subscriber and get immediate access to all of our subscriber-only content and much more.

Learn More and Become a Subscriber

The contract for technical documentation, technical reports, software, and hardware serves as a vehicle for rapid execution of critical needs, says Dan Kalil, chief commercial officer at AIS. Essentially, that means any federal government agency with a rapid need can award AIS a contract up to $950 million in a simple and expedited manner, he says.

“It enables very timely interactions between the federal government and AIS,” he notes, adding that it is critically important. “Particularly when you think about cyberspace and cybersecurity … you need the ability to not only respond rapidly but also to get out ahead of it.”

Since the work will all be done for the Air Force and partner organizations, the need for agility and quickness can be a matter of life and death, Kalil stresses. AIS is one of five companies to receive this contract award from AFRL.

The pact comes on the heels of the company celebrating 20 years since earning its first government contract. It was May 2002 when AIS, which was founded in June 2001, secured its first contract, which was also from AFRL.

“Starting AIS was one of the biggest risks I’ve ever taken and earning our first contract was a huge milestone that made it all worth it,” AIS CEO Charles Green said in a statement. “It gave us all the confidence we needed and set the trajectory for AIS for decades to come.”

Since that first deal, AIS has completed 376 contracts and is currently fulfilling another 44.

The company also holds 17 patents and has 11 more filed.

Looking back, Kalil contends that AIS was truly ahead of the industry that was supporting the AFRL at the time, and he attributes that to the company’s success.

“We were the generation that wanted to turn cyber into launch speed,” he says. It was all about novel, next generation, tomorrow capabilities but having them today.

The company is blessed to have such a strong relationship with the AFRL, he adds, and the ACT 3 contract is just another example of that great working relationship.

The contract is also symbolic of AIS as a company, he says. As a small and nimble organization, its motto has always been, “Just go do it.”

The motto has served the business well. Along with marking 20 years of government contracts, AIS has also grown to more than 200 employees and additional offices in Rochester and Syracuse in New York; Augusta, Georgia; Baltimore, Maryland; and Lorton, Virginia.

The plan for the next 20 years is to stay at the forefront of cyber technology and help customers stay agile, Kalil says. “The next 20 years are filled with innovation and agility.”

Just over a year ago, AIS launched AssuredTek, a cybersolutions company in the data-protection field. Before that, it acquired cybersecurity firm GreyCastle Security in 2016 as part of its initiative to grow its “ecosystem” into new areas.

Business cybersecurity often involves paying attention

Banks & Credit Unions, Insurance & Financial Services, Subscriber Only, Technology

DeWITT, N.Y. — Protecting your money takes a lot more than an alarm or guard at the bank or shielding your PIN when you enter it at the ATM. This is especially true for businesses as more financial transactions take place in cyberspace. Businesses often notice bad transactions weeks after the fact, says Daniel Cardi,

Already an Subcriber? Log in

Get Instant Access to This Article

Become a Central New York Business Journal subscriber and get immediate access to all of our subscriber-only content and much more.

Learn More and Become a Subscriber

Businesses often notice bad transactions weeks after the fact, says Daniel Cardi, AVP and corporate security officer for Community Bank, N.A. in DeWitt. The number-one thing business owners and managers can do to avoid the fallout from such transactions is to pay attention, he adds.

That means staying up to speed on account activity and recognizing things outside the usual pattern of activity. Scammers often try to mix things into normal transactions, so those in charge of finances should keep a close eye on unusual patterns, he adds. Paying attention means a business can lock down a credit card or bank account as soon it sees something out of the ordinary to prevent any further fraud or loss.

Businesses should also educate employees of the dangers of phishing, according to Cardi. “We’ve seen a lot of commercial customers [who] receive these scam emails,” he says. These emails present as things like a bill that’s due, but the email might note that the original payment method didn’t work and include a link for providing a new payment method. If an employee clicks the link and inputs the company credit-card information, the scammers now have that data, he says.

It’s important to scrutinize every email and look for clues that show it’s fake, including unusual fonts, misspelled words, or names that are slightly different, Cardi says. “If you don’t feel right about it, we’re happy to do the work and check it out,” he adds.

Businesses are often aware of some of the most basic protections such as creating difficult passwords to protect accounts, Cardi says, but may fall short on things like periodically updating those passwords or making sure the software on their computer is up to date. Good antivirus software is also important, as is making sure your bank has updated contact information for your business in the event it needs to reach you, he adds.

Another thing to remember is that not all points of vulnerability are at the end of a computer. Cardi urges customers not to write checks if they don’t have to, especially since they are vulnerable at three points — in the mailbox, during delivery, and at the final destination. Something as simple as tossing a check into the trash after mobile depositing it could open the door to criminals who can image the check and sell that image on the dark web, Cardi says.

If your business must use checks, he has a few recommendations. First, make sure to shred checks as soon as they aren’t physically needed anymore. Second, he recommends routinely changing out check stock.

“Change up the colors, switch the font,” he says. “Make it difficult for the bad guys.” Doing these things even just a few times a year makes it that much harder for fraud to happen.

Finally, Cardi says, don’t be afraid to reach out to your financial institution for help.

Headquartered in DeWitt, Community Bank was recently named one of Newsweek magazine’s most trusted companies and has more than $15 billion in assets with more than 220 branches across New York, Pennsylvania, Vermont, and Massachusetts. Parent company Community Bank System, Inc, (NYSE: CBU) also operates Benefit Plans Administrative Services, Inc. (BPAS); Community Bank Wealth Management; Nottingham Advisors, Inc.; and OneGroup NY, Inc.

Get our email updates

Stay up-to-date on the companies, people and issues that impact businesses in Syracuse, Central New York and beyond.

Get our email updates

What's New

Upcoming Events

Project Homecoming Job & Career Fair 2025

Annual Nonprofit Conference 2026

2026 CenterState CEO Economic Forecast Breakfast

CNYBJ Job Board

Get Instant Access to This Article

Get Instant Access to This Article

Get Instant Access to This Article

Get Instant Access to This Article

Get Instant Access to This Article

Get Instant Access to This Article

Get Instant Access to This Article

Get Instant Access to This Article

Get Instant Access to This Article

Get Instant Access to This Article

Get our email updates