Wawa settlement to pay PA $2.5M for credit-card data breach. Here's what consumers will get

Daniel Munoz, NorthJersey.com
·2 min read

Convenience store giant Wawa will pay Pennsylvania and New Jersey $2.5 million each as part of a multistate settlement following a 2019 data breach in which hackers stole financial information from millions of customers, the state Attorney General’s Office announced.

Delaware, Florida, Maryland, Virginia and the District of Columbia are also sharing in the $8 million settlement. Pennsylvania operates almost 1,000 stores.

Wawa admitted to no wrongdoing, acting New Jersey AG Matthew Platkin said in a statement. But the company agreed to take steps to strengthen protections of customer's card data, Platkin said. Wawa has more than 270 locations in New Jersey.

The Wawa convenience store at the site of the former Chatterbox Drive-In Wednesday, July 13, 2022.
The Wawa convenience store at the site of the former Chatterbox Drive-In Wednesday, July 13, 2022.

“This settlement is as important for the strengthened cyber security measures it requires as for the dollars Wawa must pay,” Platkin said on Tuesday. “This settlement should serve as a message to the industry that we are serious about holding businesses accountable when they fail to protect consumers’ sensitive personal information.”

Between April and December 2019, credit card numbers from 34 million transactions were stolen, as well as expiration dates and names on the cards, according to the joint-state announcement.

The hackers were able to gain access to Wawa's computer network "by deploying malware that may have been opened by a company employee," the office said.

Gift cards for customers

">

The hackers were unable to collect PIN numbers of credit card CVV2 codes, as well as data from any cards that relied on chip technology ― only transactions relying on magnetic strips were affected, the Tuesday statement said. The breach targeted customers paying at gas pumps and inside Wawa retail stores but not ATMs.

"As the [July] settlement notes, Wawa responded promptly and followed all notice requirements with relevant authorities, in addition to cooperating fully with the attorneys general and all law enforcement officials to assist anyone impacted by the incident," Wawa spokesperson Lori Bruce responded in a statement."

Neither the states nor Wawa discussed compensation for individual consumers in this week's statements. But in April, the company reached a $12 million class action settlement to settle a private lawsuit over the data breach.

As part of the that agreement, customers who made a purchase during the time of the breach but whose financial information was not stolen would receive a $5 gift card. Those customers who had fraudulent charges on their card during the period would receive a $15 gift card. Customers who lost money due to the hacking would receive a cash reimbursement of up to $500.

"From the outset, our focus has been to make this right for our customers and communities," Bruce said in Wawa's statement. "We continue to take the necessary steps to safeguard our information security systems."

Wawa's attorney Gregory Parks, who co-leads the privacy and cybersecurity practice at law firm Morgan, Lewis & Bockius, could not be immediately reached for comment.

Wawa, founded in New Jersey, is now based in Delaware County.

Daniel Munoz covers business, consumer affairs, labor and the economy for NorthJersey.com and The Record. 

Email: munozd@northjersey.comTwitter: @danielmunoz100

This article originally appeared on NorthJersey.com: Wawa data breach settlement to pay out $2.5 million in PA