Wawa settles data breach in multistate resolution co-led by NJ

New Jersey is co-leading an $8 million multistate settlement with Wawa stemming from a 2019 breach that compromised some 34 million consumers’ credit or debit cards.

Acting Attorney General Matthew Platkin announced July 26 that New Jersey will receive approximately $2.5 million of the overall settlement payout.

The breach, which took place in 2019 between April and December, extracted consumer payment card data, including card numbers, expiration dates and cardholder names in New Jersey, Pennsylvania, Florida, Delaware, Maryland and Virginia, as well as Washington, D.C.

In addition to paying the settlement, Wawa must also take steps to strengthen network protections and better safeguard consumer card data.

“This settlement is as important for the strengthened cybersecurity measures it requires as for the dollars Wawa must pay,” said Platkin. “When businesses fail to maintain solid data security systems or train their employees to recognize suspicious web overtures, criminal hackers can be counted on to move in and exploit the situation.”

Investigators say the breach occurred after hackers gained access to Wawa’s network in 2019, most likely through malware opened by a company employee. A few months later, the hackers deployed that malware, which allowed them to obtain magnetic strip data from cards processed at point-of-sale terminals and at outside fuel pumps.

While Platkin and co-lead Josh Shapiro, Pennsylvania’s attorney general, allege that Wawa failed to employ reasonable security measures and therefore violated state consumer protection laws, Wawa makes no admission of wrongdoing or liability under the terms of the settlement.

However, the retailer will be required to create a comprehensive information security program within six months.

“Businesses have a duty under our laws to protect the sensitive personal information consumers are sharing when they pay by card instead of cash,” said acting Division of Consumer Affairs Director Cari Fais. “Unfortunately, identity theft is a real concern, and criminal hackers are always on the lookout for weaknesses in retailer data systems.”

Fais said that given this reality, it is incumbent upon retailers to reassess data protection systems and strengthen them as needed.

“We will hold accountable any retailers whose failure to do so results in a compromise of consumers’ privacy,” Fais added.

Under the settlement, Wawa’s mandated security program must be overseen by a credentialed expert and include security awareness training for company personnel and incorporate best practices to help thwart hackers. Within a year, Wawa must also obtain a security compliance assessment and report, which must be shared with the New Jersey Attorney General’s Office.

Wawa says they are taking steps to prevent a future breach. In a statement, spokeswoman Lori Bruce said Wawa is “pleased” to have reached this resolution.

“As the settlement notes, Wawa responded promptly and followed all notice requirements with relevant authorities, in addition to cooperating fully with the attorneys general and all law enforcement officials to assist anyone impacted by the incident,” Wawa said in the statement. “From the outset, our focus has been to make this right for our customers and communities. We continue to take the necessary steps to safeguard our information security systems.”

“This settlement should serve as a message to the industry that we are serious about holding businesses accountable when they fail to protect consumers’ sensitive personal information,” said Platkin.