Acting Attorney General Matthew J. Platkin announced today that New Jersey is co-leading an overall $8 million multistate settlement with Wawa Inc. that resolves the states’ investigation into a data breach that compromised approximately 34 million payment cards used by consumers to buy food and gas and other items at Wawa stores and fueling locations.
The data breach extracted consumer payment card data, including customers’ card numbers, expiration dates and cardholder names, from transactions that took place between April 18, 2019 and December 12, 2019, and affected stores in New Jersey and five other states – Pennsylvania, Florida, Delaware, Maryland, and Virginia – as well as Washington, D.C.
Acting Attorney General Platkin is co-leading today’s settlement announcement along with Pennsylvania Attorney General Josh Shapiro. Under an Assurance of Voluntary Compliance filed with the Division of Consumer Affairs, New Jersey is to receive approximately $2.5 million of the overall Wawa settlement payout.
In addition to paying New Jersey and the other affected states, the settlement requires that Wawa take multiple steps going forward to strengthen its network protections and better safeguard consumer payment card data.
“This settlement is as important for the strengthened cyber security measures it requires as for the dollars Wawa must pay,” said Acting Attorney General Platkin. “When businesses fail to maintain solid data security systems or train their employees to recognize suspicious web overtures, criminal hackers can be counted on to move in and exploit the situation. This settlement should serve as a message to the industry that we are serious about holding businesses accountable when they fail to protect consumers’ sensitive personal information.”
“Businesses have a duty under our laws to protect the sensitive personal information consumers are sharing when they pay by card instead of cash,” said Acting Division of Consumer Affairs Director Cari Fais. “Unfortunately, identity theft is a real concern, and criminal hackers are always on the lookout for weaknesses in retailer data systems. Given this reality, retailers must periodically reassess their data protection systems and strengthen them as needed. We will hold accountable any retailers whose failure to do so results in a compromise of consumers’ privacy.”
The Wawa data breach occurred after hackers gained access to Wawa’s computer network in 2019 by deploying malware that may have been opened by a company employee.
A few months later, the hackers deployed malware that allowed them to obtain magnetic stripe data from cards processed at Wawa’s point-of-sale terminals inside the stores, as well as at the outside fuel pumps.
Specifically, the malware harvested Wawa customers’ card numbers, expiration dates, cardholder names and other sensitive payment card data. It did not collect PIN numbers or credit card CVV2 codes (the three- or four-digit security codes printed on the back of the card). Payment cards using chip technology were not compromised.
Acting Attorney General Platkin and Attorney General Shapiro allege that Wawa failed to employ reasonable information security measures to prevent such a data breach, and therefore violated state consumer protection and personal information protection laws. Under the settlement, Wawa makes no admission of wrongdoing or liability.
Wawa was unable to determine with specificity how many payment card transactions were compromised by the breach. However, in documents related to a private class action lawsuit over the breach, Wawa provided a breakdown of all consumer pay card transactions that took place at its stores during the nine-month period at issue.
During that period, approximately 27.2 percent of all Wawa payment card transactions occurred in stores in New Jersey, while another 27 percent occurred at Wawa locations in Pennsylvania. Company stores in Florida had the next highest percentage of overall payment card transactions (22.1 percent), followed by Virginia (11.4 percent), Maryland, (6.4 percent), Delaware (5.6 percent) and Washington, D.C. (0.2 percent.)
Wawa is required under today’s settlement to create a comprehensive information security program within six months.
The program must be overseen by a credentialed expert in the field, include security awareness training for all Wawa personnel with key responsibilities for implementing the program, and incorporate data protection “Best Practices” designed to prevent attackers from obtaining credentials and other sensitive data through malicious downloads and other threats.
The program must also comply with Payment Card Industry Data Security Standards and employ controls to ensure company systems are accessed only by those with appropriate credentials – controls such as multi-factor authentication, one-time passcodes and location-specific requirements, among others.
Within a year, Wawa also must obtain an information security compliance assessment and related report from third-party professional – a certified information systems security professional or certified systems auditor with at least five years’ experience in evaluating the effectiveness of computer systems or information systems security. Under the settlement, the compliance assessment report must be shared with the New Jersey Attorney General’s Office.
Section Chief Kashif Chand and Deputy Attorneys General Thomas Huynh and Mandy Wang of the Data Privacy & Cybersecurity Section within the Division of Law’s Affirmative Civil Enforcement Practice Group represent the State in the matter. Investigator Aziza Salikhova of the Office of Consumer Protection within the Division of Consumer Affairs conducted the investigation.