TRENTON – Acting Attorney General Matthew J. Platkin announced today that New Jersey is co-leading an overall $8 million multi-state settlement with Wawa Inc. that resolves the states’ investigation into a data breach that compromised approximately 34 million payment cards used by consumers to buy food and gas and other items at Wawa stores and fueling locations.
The data breach extracted consumer payment card data, including customers’ card numbers, expiration dates and cardholder names, from transactions that took place between April 18, 2019 and December 12, 2019, and affected stores in New Jersey and five other states – Pennsylvania, Florida, Delaware, Maryland, and Virginia – as well as Washington, D.C.
Under an Assurance of Voluntary Compliance filed with the Division of Consumer Affairs, New Jersey is to receive approximately $2.5 million of the overall Wawa settlement payout.
In addition to paying New Jersey and the other affected states, the settlement requires that Wawa take multiple steps going forward to strengthen its network protections and better safeguard consumer payment card data.
“This settlement is as important for the strengthened cyber security measures it requires as for the dollars Wawa must pay,” Acting Attorney General Platkin said in a release. “When businesses fail to maintain solid data security systems or train their employees to recognize suspicious web overtures, criminal hackers can be counted on to move in and exploit the situation. This settlement should serve as a message to the industry that we are serious about holding businesses accountable when they fail to protect consumers’ sensitive personal information.”
The Wawa data breach occurred after hackers gained access to Wawa’s computer network in 2019 by deploying malware that may have been opened by a company employee.
A few months later, the hackers deployed malware that allowed them to obtain magnetic stripe data from cards processed at Wawa’s point-of-sale terminals inside the stores, as well as at the outside fuel pumps.
Specifically, the malware harvested Wawa customers’ card numbers, expiration dates, cardholder names and other sensitive payment card data. It did not collect PIN numbers or credit card CVV2 codes (the three- or four-digit security codes printed on the back of the card). Payment cards using chip technology were not compromised.
Platkin alleged that Wawa failed to employ reasonable information security measures to prevent such a data breach, and therefore violated state consumer protection and personal information protection laws. Under the settlement, Wawa makes no admission of wrongdoing or liability.
Wawa was unable to determine with specificity how many payment card transactions were compromised by the breach. However, in documents related to a private class action lawsuit over the breach, Wawa provided a breakdown of all consumer pay card transactions that took place at its stores during the nine-month period at issue.
During that period, approximately 27.2% of all Wawa payment card transactions occurred in stores in New Jersey, while another 27% occurred at Wawa locations in Pennsylvania.
Wawa is required under the settlement to create a comprehensive information security program within six months, provide security awareness training for all Wawa personnel.
Within a year, Wawa also must obtain an information security compliance assessment and related report from third-party professional experienced in evaluating computer systems.