$8 Million Dollar Settlement Reached with Wawa after 2019 Data Breach

In late July, it was announced that an $8 million settlement was reached with Wawa, Inc. as a result of a 2019 data breach that compromised approximately 34 million cards used at Wawa stores in each of the seven states and districts where Wawa operates—New Jersey, Pennsylvania, Florida, Delaware, Maryland, Virginia, and the District of Columbia. The agreement is the third largest credit card breach settlement with state attorneys following Target’s $18.5 million settlement in 2017 and Home Depot’s $17.5 million settlement in 2020. Virginia’s share of the settlement is $682,432.14.  

This breach happened after hackers gained access to Wawa’s computer network in late 2018 through a phishing attack and later deployed malware on Wawa’s point-of-sale terminals and fuel dispensers, allowing access to customer data. The malware extracted customers’ sensitive credit and debit card information between April 18, 2019 and December 12, 2019. Virginia’s Attorney General and the other participating states’ attorneys allege that Wawa did not utilize reasonable information security measures to prevent the data breach and thus violated state consumer protection and personal information protection laws.  

In addition to the $8 million total payment to the states and D.C., Wawa has agreed to implement the following information security practices:  

1. Maintain a comprehensive information security program designed to protect consumers’ sensitive personal information; 

2. Provide resources necessary to fully implement the company’s information security program; 

3. Provide security awareness and privacy training to all personnel who have key responsibilities for implementation and oversight of the information security program; 

4. Employ specific security safeguards with respect to logging and monitoring, access controls, file integrity monitoring, firewalls, encryption, comprehensive risk assessments, penetration testing, intrusion detection, and vendor account management; and 

5. The company will undergo a post-settlement information security assessment which in part will evaluate its implementation of the agreed-upon information security program. 

Wawa has also faced consolidated litigation by consumers, employees, and financial institutions over the data breach. This settlement is a stark reminder of the need for companies to diligently implement and utilize security measures to protect consumer data. As many experts say, it is a matter of “when,” not “if,” a cybersecurity incident will hit a business.  

Worried about the implications of your business experiencing a data breach? The Parks Zeigler Cybersecurity and Data Privacy team can educate and advise you and your business on what data you possess, the regulatory and legal responsibilities as to that data, and how to implement policies and procedures to ensure you are protecting that data and following all applicable laws. Contact us today at at 888-691-9319 to schedule a consultation.