December 27, 2019
At least six plaintiffs, including a New Jersey woman and a Florida man, have filed a class-action lawsuit against Wawa in the wake of a massive data breach that potentially exposed the credit and debit information of customers across the company's territory.
Wawa announced Dec. 19 that it discovered the data breach had affected all 850 of its locations. The company said the malware began running March 4 and was first detected Dec. 12.
Credit and debit card numbers, expiration dates, and cardholder names on payment cards were affected by the malware, but not debit card PIN numbers, credit card CVV2 numbers, or driver's license information, Wawa said last week. The threat was believed to be contained as of the date the malware was discovered.
Tabitha Hans-Arroyo, one of the plaintiffs suing the company, said she was notified of a suspicious charge by Capital One on Christmas Eve. Someone had made an unauthorized $2,535.15 purchase on Walmart.com.
Hans-Arroyo used her card at Wawa almost daily during the period of the data breach, which appears to have affected in-store purchases and gas pump transactions. The lawsuit accuses Wawa of negligence, breach of contract and violations of state consumer protection statutes.
Ronnie Kaufman, a Florida resident, claims Wawa should have known it was "highly susceptible to attack" and failed to inform customers in a reasonable timeframe, waiting a week before making the breach public. From the lawsuit:
Wawa disregarded the rights of Plaintiff and Class members by intentionally, willfully, recklessly, or negligently failing to take adequate and reasonable measures to ensure its data systems were protected, failing to disclose to its customers the material fact that it did not have adequate computer systems and/or payment processor servers and security practices to safeguard PII, failing to take available steps to prevent and stop the breach from ever happening, and failing to monitor and detect the breach on a timely basis.
Hans-Arroyo is looking to recover damages cause by the data breach, while Kaufman's suit also aims to recover damages for a class of all Wawa consumers in the U.S. whose personally identifiable information was acquired by unauthorized persons.
Wawa CEO Chris Gheysens apologized for the data breach and said the company is providing one year of free identity theft protection and credit monitoring. Customers can call 1-844-386-9559 for more information about this service.