Wawa will pay $8 million to states affected by massive 2019 credit card data breach
Pennsylvania and New Jersey are each set to collect about $2.5 million in the settlement.
Wawa has agreed to pay $8 million after an investigation into the convenience store’s massive 2019 data breach, which potentially exposed the credit card information of millions of customers across six states, including Pennsylvania and New Jersey, and Washington, D.C.
Pennsylvania and New Jersey are each set to collect about $2.5 million in the settlement, according to attorneys general in both states.
In all, the $8 million is the third-largest attorneys general credit card breach settlement, second only to those against Target and Home Depot, according to Pennsylvania Attorney General Josh Shapiro.
“Today’s settlement will help protect Pennsylvanians personal information going forward,” Shapiro said Tuesday in a statement, “and will hold Wawa accountable for the data breach that occurred on their watch.”
Shapiro and New Jersey Acting Attorney General Matthew J. Platkin led the investigation into the breach, which compromised about 34 million payment cards used at Wawa stores between April 18, 2019, and Dec. 12, 2019.
The investigation found that Wawa’s lack of certain security measures made it possible for hackers to gain access to the stores’ network and deploy malware that collected customers’ card numbers, expiration dates, cardholder names, and other personal information, Shapiro and Platkin said. Wawa does not admit wrongdoing or liability in the settlement.
Wawa officials said in a statement that the company was “pleased” a resolution had been reached with the attorneys general.
“As the settlement notes, Wawa responded promptly and followed all notice requirements with relevant authorities, in addition to cooperating fully with the attorneys general and all law enforcement officials to assist anyone impacted by the incident,” company spokesperson Lori Bruce said. “From the outset, our focus has been to make this right for our customers and communities. We continue to take the necessary steps to safeguard our information security systems.”
Along with $8 million payment, the Delaware County-based company has agreed to take steps to strengthen data security and protect customers’ information. The steps include creating a comprehensive information security program in the next six months, providing security and privacy training to employees who are key to implementing the program, and getting an information security compliance assessment and report from a certified third-party professional within a year, according to the attorneys general.
“This settlement is as important for the strengthened cyber security measures it requires as for the dollars Wawa must pay,” Platkin said in a statement. “When businesses fail to maintain solid data security systems or train their employees to recognize suspicious web overtures, criminal hackers can be counted on to move in and exploit the situation.”
The breach was also investigated by the attorneys general of Delaware, Florida, Maryland, Virginia, and the District of Columbia, where Wawa customers also had their card information compromised.
A federal judge earlier this year approved a settlement that would make Wawa pay customers as much as $9 million, with $8 million to be spent on $5 or $15 gift cards and up to $1 million to be spent on cash payments of as much as $500 for customers who could show that they lost money in the breach.