NEW YORK : The supermarket chain Wegmans agreed to pay $400,000 and upgrade its security practices over a data breach that exposed personal information of more than 3 million consumers nationwide, New York Attorney General Letitia James said on Thursday.
Wegmans was accused of storing customer information in cloud storage containers hosted on Microsoft Azure that were left open because they had been misconfigured, leaving the data vulnerable to hackers.
James said customers' email addresses and Wegmans account passwords were exposed for about 39 months, while customers' names, mailing addresses and data tied to their driver's license numbers were exposed for about 30 months.
The breach occurred from 2018 until the spring of 2021. Wegmans began alerting customers whose information was compromised in June 2021. More than 830,000 New Yorkers were affected.
"In the 21st century, there's no excuse for companies to have poor cybersecurity systems and practices that hurt consumers," James said in a statement.
Wegmans said it takes the security of customers' data very seriously, and there was no indication anyone misused that data.
"While we do not agree with some of the conclusions drawn by the attorney general, we cooperated fully in the investigation and are glad it has been concluded," Wegmans said in a statement.
Wegmans is based in Rochester, New York. It said it has 108 stores in New York, Massachusetts, New Jersey, Pennsylvania, Maryland, Washington, D.C., Virginia and North Carolina.