An agreement in the wake of a 2019 data breach has been reached between Wawa and the attorneys general offices of several states, including Pennsylvania.
Pennsylvania Attorney General Josh Shapiro, who is running for governor as a Democrat, said Monday that the states and Pennsylvania-based Wawa had reached an $8 million agreement over the December 2019 data breach that compromised approximately 34 million payment cards used across all Wawa stores.
Pennsylvania will collect $2.5 million through the settlement and the rest will be split by Delaware, Florida, Maryland, New Jersey, Virginia and Washington, D.C.
In addition, Wawa has agreed to enact programs to strengthen customer data protection.
Below is specific information on the actions agreed to in the settlement:
- Maintaining a comprehensive information security program designed to protect consumers’ sensitive personal information.
- Providing resources necessary to fully implement the company’s information security program.
- Providing appropriate security awareness and privacy training to all personnel who have key responsibilities for implementation and oversight of the information security program.
- Employing specific security safeguards with respect to logging and monitoring, access controls, file integrity monitoring, firewalls, encryption, comprehensive risk assessments, penetration testing, intrusion detection and vendor account management.
- Consistent with previous state data breach settlements, undergoing a post-settlement information security assessment which in part will evaluate its implementation of the agreed upon information security program.
The agreement and payment to the states will release Wawa from all civil claims the offices could have brought against the company, according to the agreement presented to the court.
The settlement is third largest attorneys general credit card breach settlement, after settlements with Target and The Home Depot.
Pennsylvania authorities said they immediately began an investigation after Wawa “proactively notified” the attorney general’s office that the company had experienced a data breach.
The investigation found that Wawa had disregarded basic security precautions, allowing hackers to access its network and install malware on the payment processing servers in its retail locations. Between April 18 and Dec. 12, 2019, the malware gave the hackers access to the payment card details of Wawa customers. Approximately 9.1 million credit cards in Pennsylvania could have been compromised as a result, Shapiro’s office said.
“Today’s settlement will help protect Pennsylvanians personal information going forward and will hold Wawa accountable for the data breach that occurred on their watch,” Shapiro said. “Thanks to this work Wawa will adopt new corporate policies to deter data breaches in the future. Every corporation that does business in Pennsylvania needs to stay alert and protect their customer’s personal data or they will have to answer to my office.”
Shapiro and New Jersey Acting Attorney General Matthew Platkin led the coalition of seven states that reached the settlement with the company.