Acting Attorney General Matthew J. Platkin announced today that New Jersey is co-leading an overall $8 million multistate settlement with Wawa Inc. that resolves the state’s investigation into a data breach that compromised approximately 34 million payment cards used by consumers to buy food and gas and other items at Wawa stores and fueling locations.
According to Platkin, the data breach extracted consumer payment card data, including customers’ card numbers, expiration dates and cardholder names, from transactions that took place between April 18, 2019, and December 12, 2019, and affected stores in New Jersey and five other states – Pennsylvania, Florida, Delaware, Maryland, and Virginia – as well as Washington, D.C.
Acting Attorney General Platkin is co-leading today’s settlement announcement along with Pennsylvania Attorney General Josh Shapiro.
Under an Assurance of Voluntary Compliance filed with the Division of Consumer Affairs, New Jersey is to receive approximately $2.5 million of the overall Wawa settlement payout.
Platkin states that in addition to paying New Jersey and the other affected states, the settlement requires that Wawa take multiple steps going forward to strengthen its network protections and better safeguard consumer payment card data.
“This settlement is as important for the strengthened cyber security measures it requires as for the dollars Wawa must pay,” said Acting Attorney General Platkin.
“When businesses fail to maintain solid data security systems or train their employees to recognize suspicious web overtures, criminal hackers can be counted to move in and exploit the situation. This settlement should signal to the industry that we are serious about holding businesses accountable when they fail to protect consumers’ sensitive personal information.”
“Businesses have a duty under our laws to protect the sensitive personal information consumers are sharing when they pay by card instead of cash,” said Acting Division of Consumer Affairs Director Cari Fais.
“Unfortunately, identity theft is a real concern, and criminal hackers are always on the lookout for weaknesses in retailer data systems. Given this reality, retailers must periodically reassess their data protection systems and strengthen them as needed. We will hold accountable any retailers whose failure to do so results in a compromise of consumers’ privacy.”
According to Platkin, the Wawa data breach occurred after hackers accessed Wawa’s computer network in 2019 by deploying malware that a company employee may have opened.
A few months later, the hackers deployed malware that allowed them to obtain magnetic stripe data from cards processed at Wawa’s point-of-sale terminals inside the stores and external fuel pumps.
He states that specifically, the malware harvested Wawa customers’ card numbers, expiration dates, cardholder names and other sensitive payment card data. It did not collect PINs or credit card CVV2 codes (the three- or four-digit security codes printed on the back of the card). Payment cards using chip technology were not compromised.
Acting Attorney General Platkin and Attorney General Shapiro allege that Wawa failed to employ reasonable information security measures to prevent such a data breach and therefore violated state consumer protection and personal information protection laws. Under the settlement, Wawa makes no admission of wrongdoing or liability.
According to Platkin, Wawa could not determine how the breach compromised many payment card transactions with specificity. However, in documents related to a private class action lawsuit over the breach, Wawa provided a breakdown of all consumer payment card transactions at its stores during the nine months at issue.
During that period, approximately 27.2 percent of all Wawa payment card transactions occurred in stores in New Jersey, while another 27 percent occurred at Wawa locations in Pennsylvania. Company stores in Florida had the following highest percentage of overall payment card transactions (22.1 percent), followed by Virginia (11.4 percent), Maryland (6.4 percent), Delaware (5.6 percent) and Washington, D.C. (0.2 percent.)
Under today’s settlement, Wawa must create a comprehensive information security program within six months.
A credentialed expert in the field must oversee the program, including security awareness training for all Wawa personnel with key responsibilities for implementing the program, and incorporate data protection “Best Practices” designed to prevent attackers from obtaining credentials and other sensitive data through malicious downloads and other threats.
The program must also comply with Payment Card Industry Data Security Standards and employ controls to ensure company systems are accessed only by those with appropriate credentials – controls such as multi-factor authentication, one-time passcodes and location-specific requirements, among others.
According to the Acting Attorney General, within a year, Wawa also must obtain an information security compliance assessment and related report from third-party professional – a certified information systems security professional or certified systems auditor with at least five years’ experience in evaluating the effectiveness of computer systems or information systems security.