$8 Million Settlement Reached In Wawa Data Breach

WAWA, PA — Wawa has agreed to a multi-million-dollar settlement and bolster its security practices after a 2019 incident breached the data of millions of payment cards across all Wawa's locations.

Attorney General Josh Shapiro Tuesday announced an $8 million agreement with Wawa to resolve a December 2019 data breach that compromised about 34 million payment cards used at every Wawa store.

Shapiro, along with acting New Jersey AG Matthew J. Platkin, led a coalition of attorneys general from Delaware, Florida, Maryland, Virginia, and District of Columbia in investigating the breach.

This is the third-largest attorneys general credit card breach settlement, behind Target and The Home Depot.

Pennsylvania will collect $2,525,732 through this settlement.

It all started when a prolonged attack on Wawa's system occurred between April 18, 2019, and Dec. 12, 2019.

The attack allowed hackers to gain access to Wawa’s network and deployed malware on the company’s payment processing servers at all its stores.

Shapiro's office launched its investigation immediately after Wawa told his office of the breach.

In Pennsylvania, approximately 9.1 million payment cards were potentially exposed.

Affected customers were able to receive payouts from Wawa, but those claims had to be filed by Nov. 29, 2021.

In addition to the $8 million total payment to the states, Wawa has agreed to implement and maintain a series of data security practices designed to strengthen its information security program and safeguard the personal information of consumers.

Specific information security provisions agreed to in the settlement include:

• Maintaining a comprehensive information security program designed to protect consumers’ sensitive personal information;
• providing resources necessary to fully implement the company’s information security program;
• providing appropriate security awareness and privacy training to all personnel who have key responsibilities for implementation and oversight of the information security program
• employing specific security safeguards with respect to logging and monitoring, access controls, file integrity monitoring, firewalls, encryption, comprehensive risk assessments, penetration testing, intrusion detection, and vendor account management; and
• consistent with previous state data breach settlements, the company will undergo a post settlement information security assessment which in part will evaluate its implementation of the agreed upon information security program.

Joining Attorney General Shapiro in the investigation and today’s settlement are the attorneys general of Delaware, Florida, Maryland, New Jersey, Virginia, and District of Columbia.