Seven attorneys general, obtained an $8 million agreement with Wawa to resolve a December 2019 data breach that was suspected by compromising 34 million payment cards used at the convenience store/gas station chain.
Wawa has dozens of stores in Delaware.
This is the third largest Attorneys General credit card breach settlement behind Target and The Home Depot. Delaware will collect approximately $450,000 through this settlement.
The data breach occurred after hackers gained access to Wawa’s computer network through a phishing attack in late 2018 and later deployed malware on Wawa’ s point-of-sale terminals. The malware extracted Wawa customers’ sensitive payment card information between April 18, 2019 and December 12, 2019, affecting stores in each of the six states where Wawa operates. About 1.2 million cards were used in Delaware during the time of the breach.
The participating Attorneys General allege that Wawa failed to employ reasonable information security measures to prevent such a data breach, and therefore violated state consumer protection and personal information protection laws. Under the settlement, Wawa makes no admission of wrongdoing or liability.
“This was excellent work by our Consumer Protection Unit and fellow Attorneys General offices,”¨ said Delaware Attorney General Kathy Jennings. “We will continue to hold busiesses like Wawa accountable for their duty to protect our entrusted information from unlawful use or disclosure.”
In addition to the $8 million payment to the states, Wawa has agreed to implement and maintain a series of data security practices designed to strengthen its information security program and safeguard the personal information of consumers.
Specific information security provisions:
- – Maintaining a comprehensive information security program designed to protect consumers¡¦ sensitive personalinformation;
– Providing resources necessary to fully implement the company¡¦s information security program;
– Providing appropriate security awareness and privacy training to all personnel who have key responsibilities for implementation and oversight of the information security program.
