Convenience store giant Wawa will pay New Jersey $2.5 million as part of a multistate settlement following a 2019 data breach in which hackers stole financial information from millions of customers, the state Attorney General’s Office announced.
Delaware, Florida, Maryland, Pennsylvania, Virginia and the District of Columbia are also sharing in the $8 million settlement. Pennsylvania will also receive about $2.5 million from Wawa, which operates almost 1,000 stores along the East Coast.
Wawa admitted to no wrongdoing, acting New Jersey AG Matthew Platkin said in a statement. But the company agreed to take steps to strengthen protections of customers’ card data, Platkin said. Wawa has more than 270 locations in New Jersey.
“This settlement is as important for the strengthened cyber security measures it requires as for the dollars Wawa must pay,” Platkin said on Tuesday. “This settlement should serve as a message to the industry that we are serious about holding businesses accountable when they fail to protect consumers’ sensitive personal information.”
Between April and December 2019, credit card numbers from 34 million transactions were stolen, as well as expiration dates and names on the cards, according to the joint-state announcement.
The hackers were able to gain access to Wawa’s computer network “by deploying malware that may have been opened by a company employee,” the office said. The company has said about 27% of its payment card transactions during the breach occurred in New Jersey, the states said. That would mean about 9.2 million of the compromised sales were in the Garden State.
Gift cards for customers
The hackers were unable to collect PIN numbers of credit card CVV2 codes, as well as data from any cards that relied on chip technology – only transactions relying on magnetic strips were affected, the Tuesday statement said. The breach targeted customers paying at gas pumps and inside Wawa retail stores but not ATMs.
“As the [July] settlement notes, Wawa responded promptly and followed all notice requirements with relevant authorities, in addition to cooperating fully with the attorneys general and all law enforcement officials to assist anyone impacted by the incident,” Wawa spokesperson Lori Bruce responded in a statement.
Neither the states nor Wawa discussed compensation for individual consumers in this week’s statements. But in April, the company reached a $12 million class action settlement to settle a private lawsuit over the data breach.
As part of that agreement, customers who made a purchase during the time of the breach but whose financial information was not stolen would receive a $5 gift card. Those customers who had fraudulent charges on their card during the period would receive a $15 gift card. Customers who lost money due to the hacking would receive a cash reimbursement of up to $500.
“From the outset, our focus has been to make this right for our customers and communities,” Bruce said in Wawa’s statement. “We continue to take the necessary steps to safeguard our information security systems.”
Wawa’s attorney Gregory Parks, who co-leads the privacy and cybersecurity practice at law firm Morgan, Lewis & Bockius, could not be immediately reached for comment.
Wawa, founded in New Jersey but now based outside Philadelphia, operates more locations in South Jersey, but the chain has been expanding in the northern part of the state. It opened its first store in Sussex County this month and announced plans for three more local sites as well.
Daniel Munoz covers business, consumer affairs, labor and the economy for NorthJersey.com and The Record.
Email: munozd@northjersey.comTwitter: @danielmunoz100