Wawa faces wave of lawsuits in aftermath of massive data breach

Wawa has been hit with a wave of lawsuits claiming the company failed to protect consumers from a massive data breach that exposed their credit and debit card information.

At least six lawsuits, seeking class-action status, have been filed in federal court in Philadelphia. They allege that Wawa failed to adequately secure its computer systems from hackers who installed malware affecting potentially all of its stores. The breach compromised cardholder names, numbers, and expiration dates used in-store and at gas pumps. The cyberattack went undetected for nearly nine months.

The complaints describe Wawa’s approach to data security as “cavalier” and “lackadaisical." Lawsuits accuse Wawa of negligence, breach of contract, and violations of state consumer protection laws. The suits seek unspecified damages and lawyers fees, but all agree the issue involves more than $5 million.

“The data breach was the inevitable result of Wawa’s inadequate data security measures and cavalier approach to data security,” said one suit, filed by the law firm Chimicles Schwartz Kriner & Donaldson-Smith of Haverford. “Victims of the data breach have had their sensitive card Information compromised, had their privacy rights violated, been exposed to the increased risk of fraud and identify theft, lost control over their personal and financial information, and otherwise have been injured.”

Wawa, which is based in Wawa, Delaware County, has more than 850 stores in six states and the District of Columbia, including in Pennsylvania, New Jersey, and Delaware. The company, which had more than $12 billion in sales in 2018, serves about 700 million customers annually.

The lawsuits suggested that several million customers could have been affected.

A Wawa spokesperson declined comment, citing pending litigation.

Wawa found malware on its payment processing servers on Dec. 10 and contained it by Dec. 12, the popular convenience-store chain said last week. The malware had been running on its systems since March 4 and was on most of its store systems by April 22, CEO Chris Gheysens wrote customers last week.

Debit card pin numbers, credit card security codes, and driver’s license information were not affected by the malware, and the attack posed no risk to ATM machines, according to Wawa.

Wawa has said it reported its large-scale data breach to the FBI and doesn’t know who launched the cyberattack.

“We continue to work with top security experts to take steps to enhance the security of our systems and to support law enforcement in their ongoing investigation.” Wawa said in a statement last week.

One plaintiff is Tabitha Hans-Arroyo, of Woodbury Heights, Gloucester County, who says she went to Wawa on a “near-daily basis" during the data breach. She said someone fraudulently tried to spend $2,535.15 on her Capital One credit card on Tuesday, and as a result the credit card company locked her accounts the day before Christmas. She said Capital One referred her to a call center that confirmed that her card had been compromised in the Wawa data breach, the complaint said.

“This could not have occurred at a worse time,” said Benjamin F. Johns, a lawyer at Chimicles Schwartz Kriner, which is handling Hans-Arroyo’s case. “People like our client had their cards frozen right around the holiday period and it just added insult to injury. Until she gets a new card, she doesn’t have access to credit. And that has caused a real-world personal harm for our clients."

Johns said he didn’t know whether Hans-Arroyo was prevented from buying holiday presents.

Another plaintiff, Bucks County resident Kelly Emery, says someone in Florida twice withdrew $125 from a checking account associated with a debit card she used at a Wawa in Feasterville, Bucks County, leaving her with a negative balance before Black Friday.

Wawa has said it will pay for a year of identity-theft protection and credit monitoring for affected consumers who call 1-844-386-9559 (activation code: 4H2H3T9H6). The company has also told customers to closely review account statements for unauthorized charges. Under federal law, customers who notify their card company shortly after discovering fraudulent charges won’t have to pay those charges.

The credit monitoring is too little too late, according to Hans-Arroyo’s complaint.

“This belated remedy does nothing to protect against the millions of customers who had their sensitive data exposed to criminals for nearly nine months, and does not ensure protection from fraud going forward,” the lawsuit said.

Lawyer Johns did not put a price tag on the suit. He said the number of plaintiffs could be “massive." If the case is granted class-action status, the firm will try to recover out-of-pocket expenses, the costs of credit monitoring for plaintiffs, and something to cover “the time and hassle of trying to get a new card.”

In 2017, Target Stores paid $18.5 million to settle a similar case, a breach that compromised the data of millions of customers.