The fallout from the Wawa data breach continues to expand. Reports indicate customer data from the breach is now for sale on the dark web and the total number of compromised payment card accounts may reach 30 million. With more than half of Wawa's stores located in Pennsylvania and New Jersey, the Wawa breach is one of the most important cybersecurity events in local history.

The iconic Delaware Valley convenience store announced the data security breach in December 2019. Wawa admits all 850 Wawa locations may have fell victim to malware running on in-store payment systems between April and December 2019. The malware targeted credit card information from fuel dispensers and in-store payment terminals. Information compromised in the breach includes debit and credit card numbers, expiration dates and cardholder names. Wawa maintains the breach did not reveal personal identification numbers (PINs) or CVV records (the three-digit security code on the back of a payment card).

Cyber fraud consulting firm Gemini Advisory reported the compromised data is being offered for sale on a notorious dark web marketplace. "Joker's Stash" is one of the largest dark web exchanges for stolen payment information. The marketplace claims to have over 30 million breached data dumps for sale, although it is too early to confirm how many are genuine or originate from the Wawa breach.

Gemini reports the media price for U.S.-issued cards from the breach is $17. Somewhat counterintuitively, larger data breaches often fetch a relatively lower per capita price on the dark web. Analysts speculate the ability of larger retailers to respond promptly after a breach reduces criminal demand. "Apart from banks with a nationwide presence, only financial institutions along the East Coast had significant exposure," Gemini commented.

On Jan. 28, Wawa issued an update on its website, stating in part: "Today, we became aware of reports of criminal attempts to sell some customer payment card information potentially involved in the previous data security Incident announced by Wawa on Dec. 19, 2019. We have alerted our payment card processor, payment card brands and card issuers to heighten fraud monitoring activities to help further protect any customer information. We continue to work closely with federal law enforcement in connection with their ongoing investigation to determine the scope of the disclosure of Wawa-specific customer payment card data.

We continue to encourage our customers to remain vigilant in reviewing charges on their payment card statements and to promptly report any unauthorized use to the bank or financial institution that issued their payment card by calling the number on the back of the card. Under federal law and card company rules, customers who notify their payment card issuer in a timely manner of fraudulent charges will not be responsible for those charges. In the unlikely event any individual customer who has promptly notified their card issuer of fraudulent charges related to this incident is not reimbursed, Wawa will work with them to reimburse them for those charges."

Wawa is working with an external forensic firm to investigate the breach and says the malware was blocked and contained by Dec. 12, 2019. Wawa recommends customers consider registering for identity protection services, review their payment card account statements, order a credit report and refer to the online reference guide Wawa created in response to the event. Wawa instructs any customers who detect identity theft or fraud to promptly report the incident to local law enforcement, their state Attorney General and the Federal Trade Commission.

Wawa is already facing a class action lawsuit from the breach. The suit, filed in the U.S. District Court for the Eastern District of Pennsylvania in December, claims violation of New Jersey consumer protection laws, breach of contract and negligence in securing computer systems. The complaint claims Wawa failed to implement adequate data security measures to protect customers' sensitive information and characterizes Wawa's approach to data security as "cavalier."

The complaint states in part: "Despite the well-publicized and ever-growing threat of security breaches involving payment card networks and systems, and even though these types of data breaches were and are occurring frequently throughout the restaurant and retail industries, Wawa failed to ensure that it maintained adequate data security measures to protect customer card information from criminals."

On Jan. 3, 2020, The Legal Intelligencer reported on an evolving leadership dispute involving the class action litigation.

Wawa is a privately held corporation headquartered in Wawa, Pennsylvania. Its regional footprint encompasses Pennsylvania, New Jersey, Delaware, Maryland, Virginia, Florida and Washington, D.C. Wawa generates $12 billion in annual sales and employs nearly 37,000 people. According to Forbes, Wawa is the 25^th largest privately held company in the United States. Wawa has grown rapidly due in part to strong customer loyalty. Wawa's profitability is also supported by an average customer purchase amount twice the industry average. The company was founded by the Wood family in 1964, whose Philadelphia roots go back to the days of William Penn.

Wawa CEO Chris Gheysens issued an apology following the disclosure of the breach in December: "I apologize deeply to all of you, our friends and neighbors, for this incident. You are my top priority and are critically important to all of the nearly 37,000 associates at Wawa. We take this special relationship with you and the protection of your information very seriously. I can assure you that throughout this process, everyone at Wawa has followed our longstanding values and has worked quickly and diligently to address this issue and inform our customers as quickly as possible."

Although it remains too soon to evaluate the full extent of the Wawa breach, it seems clear the trend for hackers to target retail payment systems remains strong. The ever-growing list of high-profile data breaches makes it increasingly important for retailers to implement reasonable safeguards. Target suffered a similar breach in 2013 exposing 40 million sets of payment card data. Home Depot's 2014 breach exposed 50 million customers' data. Unfortunately, many U.S. gas stations are not obliged to fully upgrade to the enhanced security of chip-reading payment terminals until October 2020.

Cybersecurity liability is a modern legal reality. Even courts aren't immune from malware attacks. Last summer the Philadelphia court system e-filing system was shut down for over a month.

Patrick McKnight is a JD/MBA candidate at Rutgers University.