Wawa pays NJ $2.5M to settle credit card data breach
TRENTON – Wawa is paying $8 million, including a little over $2.5 million to New Jersey, to settle a multistate investigation into a data breach that compromised 34 million payment cards.
Attorneys general in six states – New Jersey, Delaware, Florida, Maryland, Pennsylvania and Virginia – and the District of Columbia said the data breach included customers’ card numbers, expiration dates and cardholder names on transactions between April 18, 2019 and Dec. 12, 2019.
Sales at Wawa’s retail stores and gas pumps were impacted.
In addition to paying the states, Wawa is required by the settlement to take multiple steps going forward to strengthen its network protections and better safeguard consumer payment card data, including a comprehensive information security program within six months.
“This settlement is as important for the strengthened cyber security measures it requires as for the dollars Wawa must pay,” said acting Attorney General Matthew Platkin. “When businesses fail to maintain solid data security systems or train their employees to recognize suspicious web overtures, criminal hackers can be counted on to move in and exploit the situation.”
Cari Fais, the acting director of the state Division of Consumer Affairs, said retailers must periodically reassess and strengthen their data protection systems to deter identity theft.
“Businesses have a duty under our laws to protect the sensitive personal information consumers are sharing when they pay by card instead of cash,” Fais said.
The Wawa data breach occurred after hackers gained access to Wawa’s computer network in 2019 by deploying malware that may have been opened by a company employee. A few months later, they were able to obtain magnetic stripe data from cards processed at Wawa’s stores and fuel pumps.
The malware collected customers’ card numbers, expiration dates, cardholder names and other sensitive payment card data but did not collect PIN numbers or credit card CVV2 codes, the three- or four-digit security codes printed on the back of the card.
Payment cards using chip technology were not compromised.
Wawa couldn’t determine specifically how many transactions were compromised. But in the nine months affected, 27.2% of all Wawa payment card transactions occurred in New Jersey, slightly more than Pennsylvania and the most among the states where the company operates.
Wawa first acknowledged the data breach affecting its 850 stores in December 2019, and a month later some of the data was being sold on the dark web. The company was sued and proposed a settlement including gift cards and cash to those affected.