WAWA, Pa. — Wawa Inc. will pay $8 million to end an investigation into the 2019 data breach that affected approximately 34 million payment cards at convenience stores and gas stations across the retailer's network.
The company has pledged to strengthen its data security practices, according to a copy of the settlement agreement and statements from attorneys general for Pennsylvania and New Jersey. Wawa did not admit wrongdoing as part of the settlement.
Pennsylvania Attorney General Josh Shapiro and New Jersey Acting Attorney General Matthew J. Platkin co-led the multistate probe and announced the settlement agreement. Five attorneys general from other states and the District of Columbia also participated in the investigation.
The settlement will be divided between Pennsylvania, New Jersey, Delaware, Florida, Maryland, Virginia and Washington, D.C., which each receiving different amounts from the $8 million total.
The agreement marks the third-largest credit card breach settlement with attorneys general after Target Corp.'s deal for $18.5 million in 2017 and Home Depot Inc's $17.5 million agreement in 2020.
Wawa attorney Gregory Park, co-leader of the privacy and cybersecurity practice at Morgan, Lewis & Bockius, referred requests for comment on the settlement to Wawa, Reuters reported. A spokesperson for the retailer did not immediately provide a comment.
In December 2019, Wawa CEO Chris Gheysens stated in an open letter to customers that malware had affected payment card information used at potentially all Wawa locations beginning at different points in time after March 4, 2019 and until it was contained in mid-December of the same year, as Convenience Store News reported.
"We also immediately initiated an investigation, notified law enforcement and payment card companies, and engaged a leading external forensics firm to support our response efforts," Gheysens wrote. The malware was identified by Wawa's information security team on Dec. 10. "Because of the immediate steps we took after discovering this malware, we believe that as of December 12, 2019, this malware no longer poses a risk to customers using payment cards at Wawa."
Wawa arranged for a dedicated toll-free call center to answer customer questions and offered credit monitoring and identity theft protection without charge to anyone whose information may have been involved.
In early 2021, Wawa resolved a class-action settlement by agreeing to pay affected customers $9 million and spend $35 million to upgrade its cybersecurity. Wawa customers who used credit or debit cards at the retailer's stores or fuel pumps between March 4, 2019 and Dec. 12, 2019 were eligible for relief, with the amount varying depending on how individual customers were affected.
A federal judge gave final approval to that settlement with an additional $3.2 million included for legal fees and expenses.
The attorneys general involved in the investigation alleged that Wawa lacked reasonable security measures at the time of the breach.
"This settlement is as important for the strengthened cyber security measures it requires as for the dollars Wawa must pay," said Platkin. "When businesses fail to maintain solid data security systems or train their employees to recognize suspicious web overtures, criminal hackers can be counted on to move in and exploit the situation. This settlement should serve as a message to the industry that we are serious about holding businesses accountable when they fail to protect consumers' sensitive personal information."
Pennsylvania-based Wawa operates nearly 1,000 convenience stores in Pennsylvania, New Jersey, Delaware, Maryland, Virginia, Florida, and Washington, D.C.