San Jose, Calif.-based software maker Adobe Systems will be paying $12 million to 15 states to settle a breach claim under a multistate agreement announced on Monday.

The charges stem from a 2013 incursion into its servers that resulted in the theft of personal information of three million customers, according to Consumer Affairs.

Attackers gained access to a public-facing web server and commandeered it to tunnel their way into other servers on Adobe’s network. The miscreants stole encrypted payment card numbers along with their expiration dates, names, addresses, telephone numbers, email addresses and usernames, as well as other personally identifiable information.

The 15 states that brought charges on behalf of residents claimed that Adobe did not take “reasonable security measures” to guard its data.

According to a press release from the North Carolina Department of Justice, “Adobe will pay $1 million to North Carolina and 14 other states and implement new policies and practices to prevent future similar breaches.”