AGs Fine Wawa Over Data Breach

  • AGs from seven states reached an $8 million settlement with Wawa, Inc. to resolve allegations that the convenience store chain violated state consumer protection and personal information protection laws. The AGs alleged that deficiencies in Wawa’s information security program contributed to a December 2019 data breach that compromised the payment card information of approximately 34 million customers.
  • The multistate investigation revealed that in December 2019, Wawa learned of a data breach in which malware on the company’s payment processing servers allowed hackers to obtain card numbers, expiration dates and cardholder names. Wawa blocked the malware within two days and deleted it completely within eight. In January 2020, the company issued a press release stating that it was aware of criminal attempts to sell this cardholder data, and that it had notified its payment card processer and card issuers. Subsequent investigation by the Payment Card Industry Forensic Investigator revealed three violations of Payment Card Industry Data Security Standards.
  • In addition to paying $8 million to the participating states, the Assurance of Voluntary Compliance also requires that Wawa comply with all applicable laws, as well as develop, implement, and maintain a comprehensive information security program that will protect sensitive personal information. Wawa must also obtain an independent third-party information security compliance and assessment report within one year of the agreement’s effective date.