Wawa to Pay $2.5 Million to Pennsylvania After Compromising 9.1 Million Users’ Credit Cards

By Adam Capotorto

Wawa has to pay an $8 million agreement, a large sum going to the state of Pennsylvania, after a breach of credit card information. 

In an official release, the Attorney General’s Office announced an $8 million agreement with Wawa to resolve a December 2019 data breach that compromised approximately 34 million payment cards across all Wawa stores. AG Shapiro and New Jersey AG Matthew J. Platkin, led a coalition of seven attorneys general in investigating the breach. The third largest Attorney General’s credit card breach settlement behind Target and The Home Depot. Pennsylvania will collect $2,525,732 through this settlement.

AG Shapiro immediately opened an investigation after Wawa proactively notified his office after the data security incident. The investigation caeme to the conclusion that Wawa failed to employ reasonable security measures, which allowed hackers to gain access to Wawa’s network and deployed malware on the company’s payment processing servers at its stores. The malware allowed the hackers to obtain the payment card information of Wawa customers between April 18, 2019, and December 12, 2019. In Pennsylvania, there was approximately 9.1 million payment cards with potential of exposure to hackers.

Today’s settlement will help protect Pennsylvanians’ personal information going forward and will hold Wawa accountable for the data breach that occurred on their watch,” AG General Shapiro said. 

“Thanks to this work Wawa will adopt new corporate policies to deter data breaches in the future. Every corporation that does business in Pennsylvania needs to stay alert and protect their customer’s data or they will have to answer to my office.”

In addition to the $8 million total payment to the states, Wawa has agreed to implement and maintain a series of data security practices designed to strengthen its information security program and safeguarding personal information. Specific information security provisions agreed to in the settlement include:

  • Maintaining a comprehensive information security program designed to protect consumers’ sensitive personal information;
  • Providing resources necessary to implement the company’s information security program;
  • Providing appropriate security awareness and privacy training to all personnel who have responsibilities for implementation and oversight of the information security program
  • Employing specific security safeguards for logging and monitoring, access controls, file integrity monitoring, firewalls, encryption, comprehensive risk assessments, penetration testing, intrusion detection, and vendor account management; and
  • Consistent with previous state data breach settlements, the company will undergo a post-settlement information security assessment evaluate its implementation of the agreed-upon information security program.

Joining Attorney General Shapiro in the investigation and settlement are the attorneys general of Delaware, Florida, Maryland, New Jersey, Virginia, and the District of Columbia. Senior Deputy Attorney General Timothy R. Murphy led the coalition investigation.