Wawa to make $8M in payments to states for data security lapses in 2019 breach

Convenience store chain Wawa on the East Coast reached a $8 million settlement with a group of seven attorneys general on Tuesday regarding a data breach that occurred in 2019 and exposed the debit and credit card data for about 34 million payment cards.

The investigation's conclusions, according to which the retailer "failed to employ reasonable data security measures" after a 2019 malware attack compromised its payment processing servers, were neither acknowledged nor refuted by Wawa.


The settlement included additional allegations that Wawa's information security team broke state laws governing the protection of consumer and personal information by failing to review alerts about the data breach.


Chris Gheysens, the chief executive of Wawa, acknowledged the incident in an open letter to customers in December 2019. The company "immediately initiated an investigation, notified law enforcement and payment card companies, and engaged a leading external forensics firm to support our response efforts" upon its discovery, according to him. The breach lasted from March 4, 2019, until it was contained on Dec. 12, 2019.

As part of the settlement, Wawa consented to put in place and uphold a number of data security procedures aimed at enhancing its information security program and protecting customer personal information, such as:

1. obtaining an information security compliance assessment and report from a third party using generally accepted practices and standards within a year; 

2. maintaining a thorough information security program designed to safeguard customers' sensitive personal information; 

3. allocating resources necessary to implement the company's information security program; 

4. providing appropriate security awareness and privacy training to all staff who have key responsibilities for implementation and oversight of the information security program; and

5. Employing specific security safeguards with respect to logging and monitoring, access controls, file integrity monitoring, firewalls, encryption, penetration testing, intrusion detection, and vendor account management.


Josh Shapiro, the attorney general of Pennsylvania, and Matthew Platkin, the acting attorney general of New Jersey, oversaw the inquiry with assistance from the attorneys general of Delaware, Florida, Maryland, Virginia, and the District of Columbia.


According to a press release from Shapiro's office, the $8 million agreement is the third largest attorneys general credit card breach settlement after Target ($18.5 million) and The Home Depot ($17.5 million).


Requests for comment from Wawa were not answered.

By fLEXI tEAM