In late July, it was announced that an $8 million settlement was reached with Wawa, Inc. as a result of a 2019 data breach that compromised approximately 34 million cards used at Wawa stores in each of the seven states and districts where Wawa operates—New Jersey, Pennsylvania, Florida, Delaware, Maryland, Virginia, and the District of Columbia. The agreement is the third largest credit card breach settlement with state attorneys following Target’s $18.5 million settlement in 2017 and Home Depot’s $17.5 million settlement in 2020. Virginia’s share of the settlement is $682,432.14.
This breach happened after hackers gained access to Wawa’s computer network in late 2018 through a phishing attack and later deployed malware on Wawa’s point-of-sale terminals and fuel dispensers, allowing access to customer data. The malware extracted customers’ sensitive credit and debit card information between April 18, 2019 and December 12, 2019. Virginia’s Attorney General and the other participating states’ attorneys allege that Wawa did not utilize reasonable information security measures to prevent the data breach and thus violated state consumer protection and personal information protection laws.
In addition to the $8 million total payment to the states and D.C., Wawa has agreed to implement the following information security practices:
- Maintain a comprehensive information security program designed to protect consumers’ sensitive personal information;
- Provide resources necessary to fully implement the company’s information security program;
- Provide security awareness and privacy training to all personnel who have key responsibilities for implementation and oversight of the information security program;
- Employ specific security safeguards with respect to logging and monitoring, access controls, file integrity monitoring, firewalls, encryption, comprehensive risk assessments, penetration testing, intrusion detection, and vendor account management; and
- The company will undergo a post-settlement information security assessment which in part will evaluate its implementation of the agreed-upon information security program.
Wawa has also faced consolidated litigation by consumers, employees, and financial institutions over the data breach. This settlement is a stark reminder of the need for companies to diligently implement and utilize security measures to protect consumer data. As many experts say, it is a matter of “when,” not “if,” a cybersecurity incident will hit a business.
Worried about the implications of your business experiencing a data breach?
We Are Here To Help
Starting or running a small business comes with a lot of important decisions, many with serious legal ramifications. Our Cybersecurity attorneys are here to answer your questions and help you navigate the legal side of owning a business. Whether you’re just getting started or need guidance on business structure, contracts, or compliance, we’re ready to support you. Call us today or fill out a quick form to schedule a consultation and take the next step with confidence.
Written By Kellam T. Parks
Kellam founded what is now Parks Zeigler, PLLC in 2012 to embrace modern technologies to best serve clients. This passion for technology led to the formation of the Cybersecurity/Data Privacy practice area making the firm a leader in helping businesses protect themselves and respond to incidents. When he’s not practicing law in this area and handling high-asset divorces, Kellam manages the firm with his co-owner, Brandon Zeigler, contributes to local and state-wide Bar associations, and frequently writes and speaks to audiences across a variety of sectors and geographic locations, including nationally on the topics of Cybersecurity/Data Privacy, digital evidence, law firm management, and technology/AI.
Recent Resource Articles
