Online socks retailer Bombas reached a $65,000 settlement with the New York State Attorney General for failure to promptly notify customers of a data breach that impacted nearly 40,000 customers.

NY AG Leticia James disclosed that in 2014 unauthorized intruders inserted malicious code inside the Magento ecommerce platform, which was used to process transactions on the Bombas site. The code was discovered later that year, but mistakenly reintroduced and not fixed until January 2015.

James said that the hackers accessed names, addresses and payment card information for 39,561 customers, with 2,971 of them from New York, however Bombas failed to notify the customers until May 2018.

"New Yorkers deserve to shop with confidence and have faith that their personal information will be protected," James said in a release issued by the AG’s office. "This agreement will ensure better protection of New Yorker’s personal information and notice of a breach in a timely manner."

Bombas offered customers two years of credit monitoring, identity theft restoration and fraud consulting, according to the AG’s office. The company also agreed to future training and thorough investigation of future breaches.