Wawa has agreed to pay $8 million to end a multistate investigation into a data breach that compromised up to 34 million credit and debit cards used at its stores in 2019.
Florida will receive up to $1.1 million in the settlement but Attorney General Ashley Moody does not plan to share the money with Florida victims of the breach.
“The money secured in today’s announcement will go toward future consumer protection and privacy enforcement efforts to hold deceptive actors accountable and to consumer education,” said Kylie Mason, deputy communications director for Moody’s office, in an email on Tuesday.
The investigation was co-led by Pennsylvania Attorney General Josh Shapiro and New Jersey’s Acting Attorney General Matthew J. Platkin, according to an announcement by Platkin.
It’s also too late for Florida victims to share in the settlement of a breach-related class-action suit against Wawa announced last fall in Pennsylvania but not publicized in Florida. The deadline to claim part of $9 million that Wawa agreed to pay victims expired last November.
Wawa, however, says it has cooperated with law enforcement officials to assist anyone impacted by the breach and “make this right” for our customers and communities.
The breach occurred after hackers planted malware in the company’s computer network that extracted information stored in the magnetic stripes of up to 34 million credit and debit cards between April 18, 2019 and Dec. 12, 2019.
Credit and debit card numbers were exposed, along with expiration dates and cardholder names, Wawa acknowledged. Platkin’s announcement said 22.1% of transactions made during the breach period were made in Florida.
According to Moody’s news release, the attorneys general alleged that “Wawa failed to employ reasonable information security measures to prevent such a data breach, therefore violating state consumer protection and personal information protection laws.”
In addition to paying $8 million to end the investigation, Wawa agreed to create a “comprehensive information security program within six months,” Pletkin’s release said.
Since the breach was discovered, Wawa has replaced magnetic stripe readers at its point-of-sale terminals, including gas pumps, with more-secure embedded chip readers. The company also offered customers up to a year of identity theft protection and credit monitoring through Experian.
Stores were affected in all six states where Wawa operates, including Delaware, Maryland, New Jersey, Pennsylvania and Virginia, plus Washington, D.C.
Wawa, which has rapidly expanded into Florida over the past decade, opened its 200th store in the state in October 2019, weeks before the breach was discovered.
In the earlier settlement announced last August, Wawa agreed to pay between $5 and $500 to customers affected by the breach.
Customers who made card purchases at a Wawa and attested that they monitored their credit reports out of concern about the breach but were not affected by fraud qualified for a $5 Wawa gift card.
Customers who made purchases with a card, could provide reasonable proof of an actual or attempted fraudulent charge, and who spent at least some time monitoring their accounts could receive a $15 Wawa gift card.
Customers who made purchases with a card and could document that they lost of spent money in connection with actual or attempted fraud “reasonably attributed to the data breach” could be reimbursed for losses up to $500.
But the deadline to claim the compensation was Nov. 29.
Wawa, which publicizes nearly all of its Florida store openings with announcements to local media sources, apparently did not publicize availability of the settlement to its Florida customers.
Searches on Google and the website Newspapers.com, which archived stores from 14 daily newspapers in Florida in 2021, turned up just one story about the settlement — on an internet-only site called Patch.com.
Wawa spokeswoman Lori Bruce did not respond to emailed questions asking how many customers filed claims, and whether the company took any steps last year to inform the company’s Florida customers about their right to claim compensation from the class-action settlement fund.
Regarding the settlement with the six states and Washington, D.C. announced Tuesday, Bruce released a statement saying Wawa is “pleased” to have reached the resolution.
“Wawa responded promptly and followed all notice requirements with relevant authorities, in addition to cooperating fully with the attorneys general and all law enforcement officials to assist anyone impacted by the incident,” the statement said. “From the outset, our focus has been to make this right for our customers and communities. We continue to take the necessary steps to safeguard our information security systems.”