Judge Grants Final Approval to Wawa's $12M Consumer Data Breach Settlement

The agreement covers a class of nearly 22 million customers affected by the 2019 incident.

WAWA, Pa. — Wawa Inc. is close to closing the books on its 2019 data breach.

On April 20, U.S. District Court Judge Gene E.K. Pratter signed off on a $12-million agreement to settle the security breach that occurred between March and December 2019 and affected nearly all Wawa locations.

The settlement was reached between the convenience retailer and a class of nearly 22 million customers, reported Bloomberg Law.

In a settlement first filed with the court in February 2021, Wawa agreed to pay the affected customers in the form of gift cards or cash, plus spend $35 million to upgrade its cybersecurity. The customers were granted preliminary class status in late July.

According to an earlier Bloomberg Law report, the settlement includes three tiers of customers who will receive gift cards for either $5 or $15, or $500 in cash, depending on the severity of their injury from the data breach.

The first tier includes all customers who used a debit or credit card to make a purchase during the data breach period, and who said they spent additional time monitoring their accounts as a result. The second tier applies to customers who had fraudulent transactions processed on their cards and had to spend time addressing them. The third includes customers who suffered out-of-pocket losses as a result of the breach, the news outlet reported.

In an open letter to customers in late December 2019, Wawa CEO Chris Gheysens said malware affected payment card information used at potentially all Wawa locations beginning at different points in time after March 4, 2019 and until it was contained on Dec. 12, as Convenience Store News previously reported.

"At this time, we believe this malware no longer poses a risk to Wawa customers using payment cards at Wawa, and this malware never posed a risk to our ATM cash machines," he said.

Though the dates varied and some Wawa locations may not have been affected at all, the malware was present on most store systems by approximately April 22, 2019. The retailer's information security team identified the malware on Dec. 10, and by Dec. 12, it had blocked and contained the malware. 

Upon detection, Wawa initiated an investigation and notified law enforcement and payment card companies. The investigation found the malware affected payment card information, including credit and debit card numbers, expiration dates and cardholder names on payment cards.

Not all information was impacted. The malware did not access debit card PIN numbers, credit card CVV2 numbers (the three or four-digit security code printed on the card), other PIN numbers or driver’s license information used to verify age-restricted purchases, Wawa reported in late 2019.

At the time of the data breach, Wawa operated around 870 c-stores throughout Pennsylvania, New Jersey, Delaware, Maryland, Virginia, Florida and Washington, D.C.  Today, the Pennsylvania-based chain operates roughly 965 stores.