New York Attorney General Letitia James said that Wegmans did not do enough security testing and failed to ensure consumer information was kept private.
The breach was discovered in April 2021 when a security researcher found that a cloud storage container containing consumers’ sensitive information, such as usernames and passwords for Wegmans accounts, customers’ names, email addresses, mailing addresses and drivers’ license numbers, was unsecured and open to public access.
In May 2021, Wegmans discovered a second cloud storage container was unsecured and had been open to the public for just under three years.
The Attorney General says the data breach compromised more than 3 million consumers nationwide, with more than 830,000 of those consumers in New York State.
Wegmans is required to pay $400,000 in penalties to the state. It also must upgrade how it handles cloud security and collects and retains consumer information.