Wegmans has agreed to pay $400,000 in penalties after a 2021 data breach that exposed the personal information of 3 million customers, including more than 830,000 in New York.

New York Attorney General Letitia James said Thursday that the supermarket chain, which has a store in Auburn, must implement new security measures, including an information security program with regular updates due to changes in technology and security threats. The company will be required to maintain asset management practices, including an inventory of its cloud assets.

"Wegmans failed to safely store and seal its consumers' personal information, instead it left sensitive information out in the open for years," James said. "Today, Wegmans is paying the price for recklessly handling and exposing millions of consumers' personal information on the internet. In the 21st century, there's no excuse for companies to have poor cybersecurity systems and practices that hurt consumers."

According to James' office, a security researcher told Wegmans in April 2021 that a cloud storage container, which was hosted on Microsoft Azure, was unsecured and open to public access. The cloud storage container had a backup file with more than 3 million customer email addresses and account passwords that were potentially exposed in the data breach.

The attorney general's office found the container was misconfigured when it was created in January 2018 — an error that existed until April 2021, when it was discovered that the cloud storage container was unsecured.

In May 2021, after learning of the first potential data breach, Wegmans found a second cloud storage container that was misconfigured and open to public access since November 2018, when it was created. The container had a database with customers' names, email addresses, mailing addresses and "additional data derived from drivers' license numbers," according to the attorney general's office.

Wegmans notified customers whose information was compromised in June 2021. But the attorney's general office found that the company did not inventory its cloud assets that contain customers' personal information, secure user passwords or conduct security testing of the cloud assets. It also did not have long-term cloud asset logs to investigate security incidents.

One other finding was that Wegmans maintained checksums using customers' driver's license numbers "without a reasonable business purpose to maintain any form of driver's license information indefinitely." Following its agreement with the attorney's general office, the company will update its data collection and retention practices.

In a statement, Wegmans said it cooperated with the investigation and acknowledged a configuration issue with two of its cloud storage containers, but disagreed with "some of the conclusions drawn by the attorney general." The company did not outline its specific issues with the findings.

"Wegmans takes security of customer information very seriously and immediately remedied the situation once it was discovered," the supermarket chain said. "We have improved our processes to better protect customer information in the future."

Wegmans added that there was "no indication that customer data was accessed improperly or otherwise misused" and "no customer credit card or other sensitive data was involved."

