With 850 locations from New Jersey to Florida, 700 million customers a year, and more than $12 billion in annual sales, Wawa — which opened its first convenience store 56 years ago in Delaware County — is no longer just a Philly regional favorite. So the questions about a breach of customer data that went undetected for nine months in 2019 have more than local ramifications; a half-dozen lawsuits have been filed in federal court, alleging that Wawa’s computer system was not adequately protected from hackers. Meanwhile the privately held company’s tight-lipped, strictly by-the-numbers response so far strikes us as underwhelming.
Beginning March 4, names, numbers, and expiration dates on customer credit and/or debit cards were compromised by a cyber hack that installed malware on servers used to process gas pump and in-store transactions at potentially all Wawa locations. Drivers licenses, birth dates, and other consumer data were not hacked, according to the company, which said it discovered the malware December 10 and contained it by Dec. 12. Wawa announced the breach on Dec. 19 and posted an “open letter” from CEO Chris Gheysens.
As for what looks to us like a week’s delay in notifying customers about the hack, Wawa’s response is governed by state law that experts say can allow a privately held company some leeway in notification until a breach is found likely to “cause loss or injury" to customers, The Inquirer’s Joseph N. DiStefano noted in his Jan. 5 column.
That could change. The National Conference of State Legislatures says Pennsylvania and New Jersey are among some 25 states mulling over legislation to bolster consumer data protection. Pennsylvania’s bill, introduced in April, would improve consumer access to and control over what information businesses collect about them and how it is used. New Jersey is considering bills that would establish obligations for businesses.
Last May, officials from the Federal Trade Commission testified before the House Energy and Commerce Subcommittee on Consumer Protection and Commerce in support of such efforts at the federal level. And U.S. Sen. Ron Wyden, a Washington state Democrat who is a leader in technology issues, has proposed the aptly named “Mind Your Own Business Act" to impose monetary and other possible penalties — such as jail time for company officials — for certain violations of customer privacy, require clear federal rule-making, and increase resources for FTC enforcement.