February 24, 2021
Wawa customers may soon be eligible to receive gift cards or cash payments as compensation for the convenience store chain's massive data breach in 2019.
A proposed settlement to a class action lawsuit would require Wawa to hand out up to $8 million in gift cards and as much as $1 million in cash reimbursements.
If approved, any customers who used their debit or credit cards at a Wawa store or fuel pump between March 4, 2019 and Dec. 12, 2019 would be eligible to file a claim and enter into the class action lawsuit.
Here's how the proposed compensation process would work:
Affected customers would file claims at this website, which would go live once the settlement is approved. The website would provide people with information on how to file claims and list the deadlines. Customers also would be able to file claims through the mail.
Wawa customers who can present evidence of an actual or attempted fraudulent charge would be eligible to receive a $15 gift card. All other Wawa customers who purchased items during the data breach would be eligible to receive a $5 gift card.
Gift cards would be valid for one year and usable toward any purchase except cigarettes and other tobacco or nicotine products. Gift cards also would be redeemable for fuel payments completed inside Wawa stores.
Customers who can provide proof that they lost money because of an attempted or successful malware attack would be eligible to receive as much as $500 in cash. Eligible out-of-pocket costs include credit freeze fees, bank fees and replacement card fees.
A third-party administrator would oversee the distribution of gift cards and cash payments to customers.
Wawa would be responsible for notifying customers of the settlement process during a four-week period. The company would be required to post signs at payment areas inside stores and at fuel pumps, provide a link to the settlement site on its own website, and issue a press release providing details on how to file a claim.
All signs posted would include a QR code that could be scanned by customers using their smartphones. Once the code is scanned, customers would be automatically taken to the settlement website to file a claim.
Wawa discovered the data breach in December 2019. The exposed information included cardholder names, numbers and expiration dates. Debit card pin numbers, credit card CVV2 numbers, ATM machines and driver's license info were not impacted.
The data breach is believed to have impacted more than 850 Wawa locations and roughly 30 million sets of payment records. Malware was present on most convenience store payment systems by late April 2019, according to the company.
Wawa notified law enforcement agencies and payment card companies about the data breach shortly after its discovery. The convenience store chain has worked with an external forensics firm and law enforcement officials to conduct an investigation.
Wawa began rolling out an improved payment security method last year by installing card chip readers at gas pumps. The new card readers require customers to leave their cards in the machine for about 30 seconds to process the payment. The data transmitted using chip-enabled cards is encrypted and only a financial institution can un-encrypt it.
The settlement also would mandate Wawa invest an additional $35 million into upgrading its data security systems.