TRENTON, NJ – Wawa will be paying New Jersey $2.5 million out of a multistate $8 million settlement after millions of customers’ data was breached by hackers on company servers.
According to Acting Attorney General Matthew J. Platkin, New Jersey is co-leading an overall $8 million multistate settlement with Wawa Inc. that resolves the state’s investigation into a data breach that compromised approximately 34 million payment cards used by consumers to buy food and gas and other items at Wawa stores and fueling locations.
“The data breach extracted consumer payment card data, including customers’ card numbers, expiration dates and cardholder names, from transactions that took place between April 18, 2019 and December 12, 2019, and affected stores in New Jersey and five other states – Pennsylvania, Florida, Delaware, Maryland, and Virginia – as well as Washington, D.C.,” New Jersey officials said today.
“This settlement is as important for the strengthened cyber security measures it requires as for the dollars Wawa must pay,” said Acting Attorney General Platkin. “When businesses fail to maintain solid data security systems or train their employees to recognize suspicious web overtures, criminal hackers can be counted on to move in and exploit the situation. This settlement should serve as a message to the industry that we are serious about holding businesses accountable when they fail to protect consumers’ sensitive personal information.”
“Businesses have a duty under our laws to protect the sensitive personal information consumers are sharing when they pay by card instead of cash,” said Acting Division of Consumer Affairs Director Cari Fais. “Unfortunately, identity theft is a real concern, and criminal hackers are always on the lookout for weaknesses in retailer data systems. Given this reality, retailers must periodically reassess their data protection systems and strengthen them as needed. We will hold accountable any retailers whose failure to do so results in a compromise of consumers’ privacy.”
According to state documents:
The Wawa data breach occurred after hackers gained access to Wawa’s computer network in 2019 by deploying malware that may have been opened by a company employee.
A few months later, the hackers deployed malware that allowed them to obtain magnetic stripe data from cards processed at Wawa’s point-of-sale terminals inside the stores, as well as at the outside fuel pumps.
Specifically, the malware harvested Wawa customers’ card numbers, expiration dates, cardholder names and other sensitive payment card data. It did not collect PIN numbers or credit card CVV2 codes (the three- or four-digit security codes printed on the back of the card). Payment cards using chip technology were not compromised.
Acting Attorney General Platkin and Attorney General Shapiro allege that Wawa failed to employ reasonable information security measures to prevent such a data breach, and therefore violated state consumer protection and personal information protection laws. Under the settlement, Wawa makes no admission of wrongdoing or liability.
Wawa was unable to determine with specificity how many payment card transactions were compromised by the breach. However, in documents related to a private class action lawsuit over the breach, Wawa provided a breakdown of all consumer pay card transactions that took place at its stores during the nine-month period at issue.
During that period, approximately 27.2 percent of all Wawa payment card transactions occurred in stores in New Jersey, while another 27 percent occurred at Wawa locations in Pennsylvania. Company stores in Florida had the next highest percentage of overall payment card transactions (22.1 percent), followed by Virginia (11.4 percent), Maryland, (6.4 percent), Delaware (5.6 percent) and Washington, D.C. (0.2 percent.)
Wawa is required under today’s settlement to create a comprehensive information security program within six months.