On July 26, 2022, the attorneys general of New Jersey, Pennsylvania, Delaware, Maryland, Virginia, Florida and Washington D.C. announced an $8 million multistate settlement with Wawa Inc. that resolves the states’ investigation into a 2019 data breach that compromised approximately 34 million payment cards used by consumers at Wawa stores and fueling locations. 

The data breach affected approximately 850 Wawa locations in New Jersey, Pennsylvania, Florida, Delaware, Maryland, Virginia, and Washington D.C. The breach occurred after hackers gained access to Wawa’s computer network by deploying malware that may have been opened by a company employee.  The malware allowed the hackers to obtain magnetic stripe data from cards processed at Wawa’s point-of-sale terminals inside the stores and outside fuel pumps. The malware harvested customers’ card numbers, expiration dates, cardholder names and other sensitive payment card data. It did not collect PIN numbers or credit card CV2 codes (the three- or four- digit security codes printed on the back of the card), and payment cards using chip technology were not compromised.

The attorneys general alleged that Wawa failed to employ reasonable information security measures to prevent the data breach, violating the states’ consumer protection and personal information protection laws.

In addition to paying $8 million, Wawa also must improve its information security practices. Specifically, Wawa must create a comprehensive information security program that contains appropriate administrative, technical and physical safeguards, including (1) network segmentation of its cardholder data environment; (2) reasonable measures to detect, investigate, respond to, and recover from security incidents within a reasonable time period; (3) reasonable implementation of personal information access controls (e.g., multifactor authentication, one-time passcodes); (4) implementation of logging and monitoring controls to ensure monitoring of Wawa’s security logs and cardholder data environment; and (5) measures to ensure PCI DSS compliance.  Additionally, the program must include: (1) documented methods and criteria for managing information security risks; (2) annual comprehensive risk assessments of Wawa’s networks where payment card information is stored; and (3) an annual assessment of the program with continual review of the program’s effectiveness.

The information security program must be overseen by a credentialed expert in the field and include security awareness training for all Wawa personnel.

Wawa must undergo an information security compliance assessment by a third-party accessor within one year. The assessment must (1) set forth specific administrative, technical and physical safeguards maintained by Wawa; (2) explain the extent to which the safeguards are appropriate; (3) explain the extent to which the implemented safeguards meet the requirements of the information security program; and (4) identify Wawa’s qualified security assessor for purposes of PCI DSS validation.

Separate from this multistate AG settlement, Wawa also settled a consumer class action lawsuit in April 2022 that resulted in the class members receiving approximately $9 million (in the form of cash and gift cards) and Wawa paying approximately $3.2 million to cover plaintiffs’ legal fees and expenses.