Wawa agrees to $8M settlement for massive payment card data breach in 2019

About 34 million cards across multiple states were potentially exposed to hackers
Photo credit Jim Walsh/USA Today Network

PHILADELPHIA (KYW Newsradio)Pennsylvania and several other states have reached an $8 million settlement with Wawa after a 2019 data breach potentially exposed 34 million payment cards to hackers.

At the end of 2019, Wawa revealed it experienced a massive data breach on its payment processing servers between April and December of that year. Anyone who used a credit or debit card at a Wawa location — in Pennsylvania, New Jersey, Delaware, Florida, Maryland, Virginia or Washington, D.C. — during that timeframe may have had their card information compromised.

Hackers accessed Wawa’s network through malware, which was opened by an employee, according to the New Jersey Office of Attorney General. The breach affected cards used in the store and at gas pumps.

The malware collected card numbers, expiration dates and cardholder names but did not attain PIN numbers or credit card CVV2 codes. Chip cards were not affected.

In Pennsylvania, about 9.1 million cards were potentially at risk. Of the $8 million settlement, both Pennsylvania and New Jersey will each receive more than $2.5 million.

Pennsylvania Attorney General Josh Shapiro investigated the breach along with other attorneys general and found Wawa had “failed to employ reasonable security measures.”

related podcast:

Podcast Episode
KYW Newsradio In Depth
How low could gas prices go? Weekly economy check in
Listen Now
Now Playing
Now Playing

Also as part of the resolution, Wawa agreed to implement stronger data protection practices and train personnel to protect customers’ personal information. Wawa will also undergo a post-settlement security assessment within a year.

According to Shapiro’s office, this settlement is the third largest credit card breach settlement by attorneys general, behind Target ($18.5 million) in 2017 and Home Depot ($17.5 million) in 2020. Both of the latter data breaches affected customers almost nationwide.