In late July, it was announced that an $8 million settlement was reached with Wawa, Inc. as a result of a 2019 data breach that compromised approximately 34 million cards used at Wawa stores in each of the seven states and districts where Wawa operates—New Jersey, Pennsylvania, Florida, Delaware, Maryland, Virginia, and the District of Columbia. The agreement is the third largest credit card breach settlement with state attorneys following Target’s $18.5 million settlement in 2017 and Home Depot’s $17.5 million settlement in 2020. Virginia’s share of the settlement is $682,432.14.
This breach happened after hackers gained access to Wawa’s computer network in late 2018 through a phishing attack and later deployed malware on Wawa’s point-of-sale terminals and fuel dispensers, allowing access to customer data. The malware extracted customers’ sensitive credit and debit card information between April 18, 2019 and December 12, 2019. Virginia’s Attorney General and the other participating states’ attorneys allege that Wawa did not utilize reasonable information security measures to prevent the data breach and thus violated state consumer protection and personal information protection laws.
CONTACT OUR EXPERIENCED CYBERSECURITY ATTORNEYSContact us Today
In addition to the $8 million total payment to the states and D.C., Wawa has agreed to implement the following information security practices:
- Maintain a comprehensive information security program designed to protect consumers’ sensitive personal information;
- Provide resources necessary to fully implement the company’s information security program;
- Provide security awareness and privacy training to all personnel who have key responsibilities for implementation and oversight of the information security program;
- Employ specific security safeguards with respect to logging and monitoring, access controls, file integrity monitoring, firewalls, encryption, comprehensive risk assessments, penetration testing, intrusion detection, and vendor account management; and
- The company will undergo a post-settlement information security assessment which in part will evaluate its implementation of the agreed-upon information security program.
Wawa has also faced consolidated litigation by consumers, employees, and financial institutions over the data breach. This settlement is a stark reminder of the need for companies to diligently implement and utilize security measures to protect consumer data. As many experts say, it is a matter of “when,” not “if,” a cybersecurity incident will hit a business.