July 26, 2022
More than three years after a massive data breach exposed payment card information from millions of Wawa customers, the convenience store chain has reached an $8 million agreement with the attorneys general of six states and the nation's capital.
The agreement, announced Tuesday, puts an end to the states' investigation into the discovery of malware that enabled hackers to access sensitive customer data between April and December 2019.
The investigation concluded that Wawa failed to employ reasonable security measures that would have prevented the hackers from gaining access. Those responsible for hacking Wawa's systems have not been caught.
The agreement with Wawa covers Pennsylvania, New Jersey, Maryland, Delaware, Florida, Virginia and Washington, D.C. The money will be used to cover litigation fees and to support states' consumer protection law enforcement efforts.
During the breach, about 27.2% of Wawa payment transactions occurred at New Jersey stores. Another 27% occurred in Pennsylvania stores. The states each will collect about $2.5 million through the settlement.
"This settlement is as important for the strengthened cyber security measures it requires as for the dollars Wawa must pay," said New Jersey acting Attorney General Matthew Platkin. "When businesses fail to maintain solid data security systems or train their employees to recognize suspicious web overtures, criminal hackers can be counted on to move in and exploit the situation. This settlement should serve as a message to the industry that we are serious about holding businesses accountable when they fail to protect consumers’ sensitive personal information."
Wawa discovered the data breach in December 2019. The exposed information included cardholder names, numbers and expiration dates. Debit card PINs, credit card CVV2 numbers, ATM machines and driver's license info were not impacted.
The data breach is believed to have impacted more than 850 Wawa locations and more than 30 million sets of payment records. Malware was present on most convenience store payment systems by late April 2019, the company said.
Some of the confidential information was believed to have been sold online by hackers.
A separate class-action lawsuit was filed against Wawa within days of the breach being announced, but final approval of a settlement in that case remains tied up in an appeal.
The proposed $12.2 million settlement would require Wawa to hand out up to $8 million in gift cards and as much as $1 million in cash reimbursements for customers who used their debit or credit cards at a Wawa store or fuel pump between March 4, 2019 and Dec. 12, 2019. The agreement covers about 22 million customers affected by the incident.
How much customers receive from Wawa would depend on whether their card information was used in fraudulent transactions and how much the customers suffered harm as a result of the data breach. The payments could range from a $5 gift card to cash reimbursements of $500.
Although final approval for the class action lawsuit settlement was granted by a federal judge in April, Wawa employees involved in the lawsuit appealed over claims that their interests were not properly considered in the proceedings.
Wawa's consumer data security settlement website notes that relief will not be distributed until the litigation is resolved. Once that happens, affected customers will be able to file claims online or by mail.
As part of Wawa's agreement with the attorneys general, the company will be required to implement and maintain a series of data security practices to strengthen its information security program.
"Today's settlement will help protect Pennsylvanians' personal information going forward and will hold Wawa accountable for the data breach that occurred on their watch," said Pennsylvania Attorney General Josh Shapiro, who is running for governor against state Sen. Doug Mastriano. "Thanks to this work Wawa will adopt new corporate policies to deter data breaches in the future."
During the COVID-19 pandemic, Wawa began rolling out an improved payment security method by installing card chip readers at gas pumps. The new card readers require customers to leave their cards in the machine for about 30 seconds to process the payment. The data transmitted using chip-enabled cards is encrypted and only a financial institution can un-encrypt it.
The company has worked with an external forensics firm and law enforcement officials to conduct an investigation into the vulnerabilities that led to the data breach. The class action lawsuit settlement would mandate that Wawa invest an additional $35 million into upgrading its data security systems.