AG announces $8M settlement with Wawa following security breech

Paula Wolf//July 28, 2022

AG announces $8M settlement with Wawa following security breech

Paula Wolf//July 28, 2022

State Attorney General Josh Shapiro announced an $8 million agreement with Wawa on Tuesday to resolve a December 2019 data breach that compromised approximately 9.1 million payment cards in Pennsylvania and 34 million used across all Wawa stores.

The commonwealth will collect $2,525,732 through this settlement, the third largest attorneys general credit card breech settlement, after Target and Home Depot.

Shapiro, along with acting New Jersey Attorney General Matthew J. Platkin, led a coalition of seven AGs in the investigation.

Wawa notified Shapiro’s office after the company experienced the breech. The investigation concluded that Wawa failed to employ reasonable security measures, allowing hackers to gain access to its network and deploy malware on the company’s payment processing servers at its stores.

The malware allowed the hackers to obtain the payment card information of Wawa customers between April 18, 2019, and Dec. 12, 2019.

“Today’s settlement will help protect Pennsylvanians’ personal information going forward and will hold Wawa accountable for the data breach that occurred on their watch,” Shapiro said in a release. “Thanks to this work, Wawa will adopt new corporate policies to deter data breaches in the future. Every corporation that does business in Pennsylvania needs to stay alert and protect their customers’ personal data or they will have to answer to my office.”

Specific information security provisions agreed to in the settlement include:

· Maintaining a comprehensive information security program designed to protect consumers’ sensitive personal information;

· Providing resources necessary to fully implement the company’s information security program;

· Providing appropriate security awareness and privacy training to personnel responsible for implementation and oversight of the information security program;

· Employing specific security safeguards with respect to logging and monitoring, access controls, file integrity monitoring, firewalls, encryption, comprehensive risk assessments, penetration testing, intrusion detection and vendor account management.

Wawa will also undergo a post-settlement information security assessment.

Paula Wolf is a freelance writer