Under a settlement with the New York state attorney general's office, Wegmans is paying a $400,000 fine and has agreed to cyber security improvements following a data breach last year.
The personal data of more than 3 million Wegmans customers nationwide, including more than 830,000 in New York, was exposed in a data breach identified by a security researcher in April 2021.
New York Attorney General Leticia James said customers' names, email addresses, mailing addresses, Shoppers Club numbers and usernames and passwords for Wegmans.com accounts were placed on a cloud storage container that was unsecured and open to public access for several years, starting in January 2018.
Wegmans found a second misconfigured cloud storage container in May of last year that contained similar personal customer information.
Under a settlement with the attorney general's office, the company agreed to pay the $400,000 penalty and take new measures to protect consumers' personal data.
In a statement, Wegmans said it does not agree with some of the conclusions drawn by the attorney general, but that the company cooperated fully with the investigation.
Wegmans began notifying customers whose personal information was compromised in June 2021.