Why Wawa Is Being Forced To Pay Millions

Popular northeastern-based convenience store Wawa is being forced to pay out millions to customers for a scary reason.

By Charlene Badasie | Published

wawa

Wawa Inc has agreed to pay $8 million to end a years-long investigation into a data breach that affected 34 million payment cards used to make various purchases at its convenience stores and gas stations. The 2019 breach extracted sensitive card data like card numbers, expiration dates, and cardholder names, from transactions that took place between April and December. It affected stores in New Jersey, Pennsylvania, Florida, Delaware, Maryland, Virginia, and Washington, D.C.  

According to the agreement provided by the Pennsylvania and New Jersey attorneys general, Wawa has also pledged to strengthen its data security practices going forward. Speaking about the ruling, Acting New Jersey Attorney General Matthew J. Platkin said the settlement is important for the strengthened cyber security measures it requires and for the money the convenience store chain must pay. “When businesses fail to maintain solid data security systems or train their employees to recognize suspicious web overtures, criminal hackers can be counted on to move in and exploit the situation,” he said via Grocery Business.

Platkin added that the Wawa settlement strongly indicates that lawmakers are serious about holding businesses accountable when they fail to protect consumers’ sensitive personal information. As such, the payout will be divided, in varying amounts, between Pennsylvania, New Jersey, and the other affected states. The agreement also marks the third-largest credit card breach settlement with attorneys general after Target Corp.’s deal for $18.5 million in 2017 and Home Depot Inc’s $17.5 million agreement in 2020, Reuters reported. A spokesperson for the retail chain did not comment on the ruling.

Interestingly, Wawa did not admit to any wrongdoing as part of the settlement. But in 2019, company CEO Chris Gheysens stated in an open letter to customers that malware had affected payment card information used at all their locations beginning. He added that the breach took place at different points in time after March 4th, until it was contained in mid-December that same year. At the time, the chain immediately initiated an investigation, while notifying law enforcement and payment card companies. They also hired an external forensics firm to support their response efforts, according to Convenience Store News.

The malware was later identified by their internal information security team. Because of the immediate steps taken by Wawa, the company believed the breach no longer posed a risk to customers using payment cards at their locations. The retail giant also arranged a dedicated toll-free call center to answer questions from customers, offering free credit monitoring and identity theft protection to anyone whose information may have been compromised.

In early 2021, the Pennsylvania-headquartered outlet resolved a class-action settlement by agreeing to pay affected customers $9 million. Wawa also spent an additional $35 million to upgrade its cybersecurity. People who used credit or debit cards at the retailer location during the breach timeline were eligible for relief, with the amount varying depending on how each person was impacted. A federal judge approved that settlement with an additional $3.2 million included for legal fees and expenses.