Online retailer Provision Supply LLC (Provision Supply) (operator of which sells contacts and eye glasses) settled with the New York attorney general last week for its failure to notify its web customers of a data breach that may have exposed 25,000 credit card numbers. Provision Supply will pay a $100,000 penalty and must improve its data security practices. New York Attorney General, Eric T. Schneiderman, said that the breach occurred back in August 2014, but Provision Supply did not learn of it until about a year later when its merchant bank informed Provision Supply that its customers credit cards were displaying fraudulent charges. After learning of these fraudulent charges, Provision Supply investigated the breach and hired a third party to remove the malware but it never informed its customers or law enforcement/the Attorney General of the incident which is in violation of the New York’s Information Security Breach and Notification Act.

Additionally, the Attorney General said that while Provision Supply’s website said that it was “100 percent safe and secure” lacked a written security policy to address security issues, had no effective server and firewall configurations to guard against unauthorized access and did not install anti-virus or anti-malware software or conduct reviews of site performance and security configuration.

Since just the beginning of this year, the New York Attorney General’s office has noticed a 40 percent increase in data breach notifications to its office.