Wegmans Food Markets has agreed to pay $400,000 to New York state and shore up its cyber security, after its customers’ personal information was compromised.
The settlement with the grocery chain was announced in a statement from the office of New York Attorney General Letitia James on Thursday.
Wegmans is a regional supermarket chain with 107 stores: 48 in New York, 18 in Pennsylvania, nine in New Jersey, 14 in Virginia, eight in Maryland, six in Massachusetts and four in North Carolina.
The personal information of more than 3 million people nationwide was compromised after the company’s misconfigured cloud storage containers were left open for more than three years, according to the AG’s statement.
The compromised data included usernames and passwords for Wegmans accounts, as well as customers’ names, email addresses, mailing addresses, and additional data derived from drivers’ license numbers.
In June 2021, Wegmans began notifying affected consumers whose personal information was compromised. The attorney general’s office determined that, in addition to failing to appropriately configure the cloud storage containers to limit access to its contents, Wegmans had failed to inventory its cloud assets containing personal information, secure all user passwords, and regularly conduct security testing of its cloud assets.
Besides agreeing to pay $400,000 to the state, Wegmans must also adopt measures to secure its customers’ information, including maintaining a comprehensive information security program and an inventory of all cloud assets, establishing appropriate password policies and procedures for customer accounts, updating its data collection and retention practices, and other actions to secure its data.