Wawa convenience store logo

Wawa Hit With Several Lawsuits Following Data Breach

A Wawa convenience store

WAWA, Pa. — Wawa Inc. is facing several lawsuits — and the possibility of a class action suit — after its convenience store chain experienced a data breach.

The legal actions come one week after Wawa CEO Chris Gheysens said malware affected payment card information used at potentially all Wawa locations beginning at different points in time after March 4, 2019 and until it was contained on Dec. 12, as Convenience Store News previously reported.

According to The Philadelphia Inquirer, at least six lawsuits, seeking class-action status, have been filed in federal court in Philadelphia. They allege that Wawa failed to adequately secure its computer systems from hackers who installed malware affecting potentially all of its stores.

The breach compromised cardholder names, numbers, and expiration dates used in-store and at gas pumps.

Lawsuits accuse Wawa of negligence, breach of contract, and violations of state consumer protection laws. The suits seek unspecified damages and lawyers fees, but all agree the issue involves more than $5 million, the news outlet added.

"The data breach was the inevitable result of Wawa's inadequate data security measures and cavalier approach to data security," said one suit, filed by the law firm Chimicles Schwartz Kriner & Donaldson-Smith of Haverford. "Victims of the data breach have had their sensitive card Information compromised, had their privacy rights violated, been exposed to the increased risk of fraud and identify theft, lost control over their personal and financial information, and otherwise have been injured."

A Wawa spokesperson declined to comment to the news outlet, citing pending litigation.

Although the dates may vary and some Wawa locations may not have been affected at all, the malware was present on most store systems by approximately April 22, 2019. The retailer's information security team identified the malware on Dec. 10, and by Dec. 12, it had blocked and contained the malware.

Based on the Wawa's investigation, the malware did not access debit card PIN numbers, credit card CVV2 numbers (the three or four-digit security code printed on the card), other PIN numbers, and driver's license information used to verify age-restricted purchases.  

Based in Pennsylvania, Wawa operates more than more than 870 c-stores, with 600-plus offering fuel, in Pennsylvania, New Jersey, Delaware, Maryland, Virginia, Florida and Washington, D.C.