Wawa to pay $8M for credit, debit card data breach by hackers

Wawa has agreed to an $8 million settlement with New Jersey and five other states nearly three years after hackers used malware to steal credit and debit card information on 34 million transactions during an eight-month span in 2019, state officials said

The state of New Jersey will receive about $2.5 million while the rest will be divided between Pennsylvania, Florida, Delaware, Maryland Virginia and Washington DC, the state Office of the Attorney General announced Tuesday.

In April, Wawa agreed to pay $12 million to settle a class action lawsuit that stemmed from the data breach.

Months after deploying malware that a Wawa employee opened, hackers used additional malware to obtain magnetic stripe data from cards processed at Wawa’s point-of-sale terminals inside stores and at gas pumps, authorities said.

While customers’ card numbers, names and expiration dates were stolen, the hackers weren’t able to access PIN numbers or credit card CVV2 codes (the three- or four-digit security codes printed separately on cards).

In addition, customers who used cards with chips weren’t affected.

While alleged officials Wawa failed to protect customer’s private information, the popular convenience store admitted no wrongdoing in agreeing to the settlement.

Wawa also agreed to enhance how it protects customers’ information and who has access to it.

“This settlement is as important for the strengthened cyber security measures it requires as for the dollars Wawa must pay,” acting Attorney General Matt Platkin said in a statement. “This settlement should serve as a message to the industry that we are serious about holding businesses accountable when they fail to protect consumers’ sensitive personal information.”

Wawa said it has already taken steps to ensure the breach is not repeated.

“As the settlement notes, Wawa responded promptly and followed all notice requirements with relevant authorities, in addition to cooperating fully with the attorneys general and all law enforcement officials to assist anyone impacted by the incident,” Wawa said in a statement. “From the outset, our focus has been to make this right for our customers and communities. We continue to take the necessary steps to safeguard our information security systems.”

Nearly 9.25 million of the 34 million transactions in that span took place in New Jersey. About 9.2 million were in Pennsylvania with the rest divided among the other locations.

Wawa didn’t immediately respond to a request for comment from NJ Advance Media.

The chain has more than 800 stores, including about 275 in New Jersey and employs about 35,000 people along the East Coast. Wawa has opened 14 new stores in the state this year.

Our journalism needs your support. Please subscribe today to NJ.com.

Jeff Goldman may be reached at jeff_goldman@njadvancemedia.com.

Leave a Comment

Your email address will not be published.