Wawa has agreed to pay customers up to $9 million and spend $35 million upgrading its cybersecurity to settle a class-action lawsuit stemming from a massive data breach that exposed customers’ credit and debit card information for over nine months.

Under a proposed settlement filed in federal court Friday, the convenience store chain would provide customers with up to $8 million in Wawa gift cards and pay up to $1 million in cash payments to affected consumers. The agreement must still be approved by a judge overseeing the case.

Wawa would also have to make “significant data security enhancements” valued at $35 million after hackers installed malware in 2019 that exposed cardholders’ names, numbers, and expiration dates used in-store and at gas pumps. The data breach affected all Wawa stores, according to Chimicles Schwartz Kriner & Donaldson-Smith LLP, the Haverford law firm representing consumers in the case. The breach may have compromised millions of payment cards, cybersecurity experts said at the time, and criminals may have sold the information online.

Under the plan, Wawa will pay an additional $3.2 million to cover administration costs, as well as pay attorney fees and expenses, among other costs.

Wawa spokesperson Lori Bruce said that under the plan, a third-party administrator will oversee the gift cards and payments. It will name the administrator once the plan is approved.

According to a statement announcing the settlement, consumers in the United States who used their payment cards at a Wawa store or fuel pump location between March 4, 2019, and Dec. 12, 2019, can get the gift cards or money. That’s how long the malware was running on Wawa’s computer systems before it was discovered.

Class members who did not suffer attempted or actual fraud on their payment cards could get a $5 Wawa gift card. Customers who can show that someone tried or succeeded in victimizing them could receive a $15 Wawa gift card.

And consumers who can provide “reasonable documentary proof” that they lost money because of an actual or attempted fraud could be reimbursed up to $500. Customers would need to submit a claim to receive a gift card or cash payment.

Wawa, which is based in Wawa, Delaware County, was hit with a wave of lawsuits claiming the company failed to protect consumers from hackers after it announced the data breach in December 2019.

Several banks proactively reissued thousands of debit and credit cards, and Wawa called in the FBI to help with the case, although no arrests have been announced. Debit card pin numbers, credit card security codes, and driver’s license information were not affected by the malware, and the attack posed no risk to ATM machines, the company has said.

The privately held convenience store chain has more than 850 stores in six states and the District of Columbia, including in Pennsylvania, New Jersey, and Delaware. It serves about 700 million customers annually.

Hackers have targeted gas stations and retail stores with sophisticated cyberattacks in recent years. In 2017, Target Stores paid $18.5 million to settle a similar case, a breach that compromised the data of millions of customers.