C-Store Chain Wawa to Pay $8M in Data Breach Settlement

Convenience store chain Wawa must pay $8 million to settle a multi-state data breach that compromised 34 million payment cards used to buy food, gas and other items, New Jersey's acting attorney general announced this week. 

In addition to paying the affected states, the settlement requires that 950-unit Wawa take multiple steps going forward to strengthen its network protections and better safeguard consumer payment card data.

The data breach extracted consumer payment card data, including customers’ card numbers, expiration dates and cardholder names, from transactions that took place between April 18, 2019, and Dec. 12, 2019, and affected stores in New Jersey and five other states—Pennsylvania, Florida, Delaware, Maryland and Virginia—as well as Washington, D.C. 

“This settlement is as important for the strengthened cyber security measures it requires as for the dollars Wawa must pay,” said Acting New Jersey Attorney General Platkin. “When businesses fail to maintain solid data security systems or train their employees to recognize suspicious web overtures, criminal hackers can be counted on to move in and exploit the situation. This settlement should serve as a message to the industry that we are serious about holding businesses accountable when they fail to protect consumers’ sensitive personal information.”

“Businesses have a duty under our laws to protect the sensitive personal information consumers are sharing when they pay by card instead of cash,” said Acting New Jersey Division of Consumer Affairs Director Cari Fais. “Unfortunately, identity theft is a real concern, and criminal hackers are always on the lookout for weaknesses in retailer data systems. Given this reality, retailers must periodically reassess their data protection systems and strengthen them as needed. We will hold accountable any retailers whose failure to do so results in a compromise of consumers’ privacy.”

The Wawa data breach occurred after hackers gained access to Wawa’s computer network in 2019 by deploying malware that may have been opened by a company employee.

A few months later, the hackers deployed malware that allowed them to obtain magnetic stripe data from cards processed at Wawa’s point-of-sale (POS) terminals inside the stores, as well as at the outside fuel pumps.

Specifically, the malware harvested Wawa customers’ card numbers, expiration dates, cardholder names and other sensitive payment card data. It did not collect personal identification numbers (PINs) or credit card CVV2 codes (the three- or four-digit security codes printed on the back of the card). Payment cards using chip technology were not compromised.

The attorneys general of New Jersey and Pennsylvania allege that Wawa failed to employ reasonable information security measures to prevent such a data breach, and, therefore, violated state consumer protection and personal information protection laws. Under the settlement, Wawa makes no admission of wrongdoing or liability.

Wawa was unable to determine with specificity how many payment card transactions were compromised by the breach; however, in documents related to a private class-action lawsuit over the breach, Wawa provided a breakdown of all consumer pay card transactions that took place at its stores during the nine-month period at issue.

During that period, approximately 27.2% of all Wawa payment card transactions occurred in stores in New Jersey, while another 27% occurred at Wawa locations in Pennsylvania. Company stores in Florida had the next highest percentage of overall payment card transactions (22.1%), followed by Virginia (11.4%), Maryland, (6.4%), Delaware (5.6%) and Washington, D.C. (0.2%).

Wawa is required under the settlement to create a comprehensive information security program within six months.

The program must be overseen by a credentialed expert in the field, include security awareness training for all Wawa personnel with key responsibilities for implementing the program, and incorporate data protection best practices designed to prevent attackers from obtaining credentials and other sensitive data through malicious downloads and other threats.

The program must also comply with Payment Card Industry Data Security Standards and employ controls to ensure company systems are accessed only by those with appropriate credentials, controls such as multi-factor authentication, one-time passcodes and location-specific requirements, among others.

Within a year, Wawa also must obtain an information security compliance assessment and related report from third-party professional, a certified information systems security professional or certified systems auditor with at least five years’ experience in evaluating the effectiveness of computer systems or information systems security. Under the settlement, the compliance assessment report must be shared with the New Jersey Attorney General’s Office.

This story first appeared on WGB sister publication, CSP Daily News.