Wawa Must Pay $8 Million To Settle Massive Data Breach: PA Officials

HARRISBURG, PA — Wawa must pay $8 million in a massive settlement after a 2019 data breach left the payment cards of some 34 million customers exposed, authorities said. The lawsuit was brought against Wawa by a group of nine states, and Pennsylvania will net $2.5 million in damages.

Officials said it's the third largest credit card breach settlement ever brought against a corporation by a group of attorneys general. The massive breach sparked an FBI investigation and had previously led to Wawa disbursing $9 million in cash and customer gift cards following a class action lawsuit.

“Today’s settlement will help protect Pennsylvanians personal information going forward and will hold Wawa accountable for the data breach that occurred on their watch,” Attorney General Shapiro said in a statement. Shapiro co-led the suit with New Jersey Attorney General Matthew J. Platkin.

Wawa failed to use "reasonable" security measures that would have stopped hackers from putting malware on the company's payment processing servers, officials said.

As a result, the malware gave hackers access to Wawa customer information between April 18, 2019 and Dec. 12, 2019.

Shapiro added that Wawa will "adopt new corporate policies" as a result of the suit to prevent similar data breaches in the future.

"Every corporation that does business in Pennsylvania needs to stay alert and protect their customer’s personal data or they will have to answer to my office," Shapiro said.

In a statement to the Associated Press, Wawa said they had fully cooperated with authorities from the moment they discovered the breach.

“From the outset, our focus has been to make this right for our customers and communities,” the company's news release said. “We continue to take the necessary steps to safeguard our information security systems.”

Specifics of Wawa's data breach plan include allocating resources to implement a new information security program, creating safeguards for file integrity monitoring, firewalls, encryption, and more, and agreeing to undergo a post-settlement assessment from the state evaluating its new policies.

Other states joining Pennsylvania and New Jersey in the suit were Delaware, Florida, Maryland, New Jersey, Virginia, and the District of Columbia.