What happens to executives of retail companies such as Wawa Inc. when they acknowledge a data breach that exposed customer data that should have stayed private?
In early 2014, giant retailer Target Corp. set an example that is still cited by corporate security professionals.
First, the chain acknowledged a data breach had exposed 40 million credit and debit card holders’ names and account numbers to criminals over the previous three weeks. Three weeks later, the company admitted hackers had also picked up personal information: phone numbers, addresses, and emails of 70 million Target customers.
That March, the company’s chief information officer, responsible for data and computer systems, resigned under pressure. The company also started searching for a new security chief, and a new compliance boss.
Next, Target chief executive Gregg Steinhafel, who had spent 35 years with the company, took personal responsibility for the data breach, and stepped down from the top office. Target said the data breach cost it more than $160 million in 2013-14. The company later paid $28.5 million to settle private and state legal claims from the data breach.
Target said its data breach had lasted three weeks. Wawa admitted its data was exposed by malware for nine months — March to December. Wawa says credit and debit card information was exposed to criminals, but not detailed personal information.
Wawa has not announced any changes at the top so far. Chris Gheysens, a Wawa lifer who rose through the accounting department, is Wawa’s chief executive. Chief information officer is John Collier, who joined the company in 2016, after serving in a similar capacity at TracFone Wireless and in software architect jobs at Walmart and Bank of America.
Unlike Target, Wawa is a private company, owned partly by executives like Gheysens, partly by members of the founding Wood family and their du Pont cousins, and partly by thousands of Wawa employees who are given shares as a retirement savings plan.
The chairman of its board of directors, whose job includes overseeing the CEO, is founding-family heir Richard D. Wood Jr. He has held the chairman job since retiring as CEO in 2004, and has presided over the board during the period of Wawa’s rapid growth from a regional cokes-smokes-milk-and-hoagies chain to a convenience store and gasoline outlet with more than $12 billion in annual sales at 850 stores from New Jersey to Florida.
Target, as a publicly traded company, was required by U.S. securities law to announce its data breach if it believed the resulting losses could materially affect the company’s profitability. Also, as a company doing business in California, it was required to tell customers in the most populous U.S. state when their “unencrypted personal information” had been “acquired, or reasonably believed to have been acquired, by an unauthorized person,” whether or not the company believed that customers had suffered a loss.
Wawa, as a private company, has fewer investor disclosure requirements. And Pennsylvania, where Wawa is based, has a more conditional data breach notification requirement: A company has to tell customers when it decides the loss of personal information is likely to “cause loss or injury" — which potentially gave Wawa more time to delay disclosure, according to a data-management company founder who asked that he not be identified by name because he has business ties to Wawa.
Even with delayed discovery and disclosure, a massive data breach is time for a board to review management closely, the executive added. “Wawa is a digital company, like everyone else," he said. “When you have a data breach like this, there is usually a failure, either in management, or in the quality of security.”
Which “doesn’t necessarily mean its CEO has to go,” he added. If Wawa was paying top dollar for state-of-the-art security systems that were poorly implemented, that will place pressure on the company to reconsider its tech approach. On the other hand, if a review found the company hadn’t been spending enough on tech and security, Gheysens as CEO would expect to face especially tough questions.
Either way, “they have to pay a lot more for security now — a great CIO, a great security head, best-in-class outsourcing, along with appropriate spend — because they can’t afford to let this happen again."
“Where were the inside and outside auditors?” asked the head of a financial software company who asked not to be identified because his clients include Wawa service providers. “They are required to report regularly on these issues, system resiliency, regulatory compliance, et cetera. Our board meetings are mainly about these issues. After Target and all the others, I would think every board and their auditors are very sensitive to these issues.”
Wawa’s failure to catch the problem earlier naturally raises the question of “endemic governance challenges,” he added. “Nine months is way too long. And their response to date has been tepid. Like out of an old public relations manual. They need to be as aggressive in this as they are in selling hoagies.”
I ran that by Tony DeFazio, a Philadelphia (updated 1/6/20) communications consultant who has written on the theme of customer trust.
“The [Wawa] brand is to treat customers like family and friends, like a community partner,” DeFazio noted. He said it seemed to him that Wawa’s initial reliance on a press release and the by-now-familiar offer of a free credit report for affected customers appears "a little impersonal and a little reactive.”
DeFazio Communications counted more than 200,000 media mentions of the data breach in the days after Wawa disclosed it. DeFazio said he was surprised Wawa didn’t use such tools as mass emails, Facebook Live, or posted a Gheysens Q&A, suitably vetted by lawyers, as ways to respond to concerned customers with the usual Wawa “human touch.”