Wawa Data Breach Could Impact 30 Million Payment Cards
With more than half of Wawa's stores located in Pennsylvania and New Jersey, the Wawa breach is one of the most important cybersecurity events in local history.
February 20, 2020 at 01:49 PM
6 minute read
The fallout from the Wawa data breach continues to expand. Reports indicate customer data from the breach is now for sale on the dark web and the total number of compromised payment card accounts may reach 30 million. With more than half of Wawa's stores located in Pennsylvania and New Jersey, the Wawa breach is one of the most important cybersecurity events in local history.
The iconic Delaware Valley convenience store announced the data security breach in December 2019. Wawa admits all 850 Wawa locations may have fell victim to malware running on in-store payment systems between April and December 2019. The malware targeted credit card information from fuel dispensers and in-store payment terminals. Information compromised in the breach includes debit and credit card numbers, expiration dates and cardholder names. Wawa maintains the breach did not reveal personal identification numbers (PINs) or CVV records (the three-digit security code on the back of a payment card).
Cyber fraud consulting firm Gemini Advisory reported the compromised data is being offered for sale on a notorious dark web marketplace. "Joker's Stash" is one of the largest dark web exchanges for stolen payment information. The marketplace claims to have over 30 million breached data dumps for sale, although it is too early to confirm how many are genuine or originate from the Wawa breach.
Gemini reports the media price for U.S.-issued cards from the breach is $17. Somewhat counterintuitively, larger data breaches often fetch a relatively lower per capita price on the dark web. Analysts speculate the ability of larger retailers to respond promptly after a breach reduces criminal demand. "Apart from banks with a nationwide presence, only financial institutions along the East Coast had significant exposure," Gemini commented.
On Jan. 28, Wawa issued an update on its website, stating in part: "Today, we became aware of reports of criminal attempts to sell some customer payment card information potentially involved in the previous data security Incident announced by Wawa on Dec. 19, 2019. We have alerted our payment card processor, payment card brands and card issuers to heighten fraud monitoring activities to help further protect any customer information. We continue to work closely with federal law enforcement in connection with their ongoing investigation to determine the scope of the disclosure of Wawa-specific customer payment card data.
We continue to encourage our customers to remain vigilant in reviewing charges on their payment card statements and to promptly report any unauthorized use to the bank or financial institution that issued their payment card by calling the number on the back of the card. Under federal law and card company rules, customers who notify their payment card issuer in a timely manner of fraudulent charges will not be responsible for those charges. In the unlikely event any individual customer who has promptly notified their card issuer of fraudulent charges related to this incident is not reimbursed, Wawa will work with them to reimburse them for those charges."
Wawa is working with an external forensic firm to investigate the breach and says the malware was blocked and contained by Dec. 12, 2019. Wawa recommends customers consider registering for identity protection services, review their payment card account statements, order a credit report and refer to the online reference guide Wawa created in response to the event. Wawa instructs any customers who detect identity theft or fraud to promptly report the incident to local law enforcement, their state Attorney General and the Federal Trade Commission.
Wawa is already facing a class action lawsuit from the breach. The suit, filed in the U.S. District Court for the Eastern District of Pennsylvania in December, claims violation of New Jersey consumer protection laws, breach of contract and negligence in securing computer systems. The complaint claims Wawa failed to implement adequate data security measures to protect customers' sensitive information and characterizes Wawa's approach to data security as "cavalier."
The complaint states in part: "Despite the well-publicized and ever-growing threat of security breaches involving payment card networks and systems, and even though these types of data breaches were and are occurring frequently throughout the restaurant and retail industries, Wawa failed to ensure that it maintained adequate data security measures to protect customer card information from criminals."
On Jan. 3, 2020, The Legal Intelligencer reported on an evolving leadership dispute involving the class action litigation.
Wawa is a privately held corporation headquartered in Wawa, Pennsylvania. Its regional footprint encompasses Pennsylvania, New Jersey, Delaware, Maryland, Virginia, Florida and Washington, D.C. Wawa generates $12 billion in annual sales and employs nearly 37,000 people. According to Forbes, Wawa is the 25th largest privately held company in the United States. Wawa has grown rapidly due in part to strong customer loyalty. Wawa's profitability is also supported by an average customer purchase amount twice the industry average. The company was founded by the Wood family in 1964, whose Philadelphia roots go back to the days of William Penn.
Wawa CEO Chris Gheysens issued an apology following the disclosure of the breach in December: "I apologize deeply to all of you, our friends and neighbors, for this incident. You are my top priority and are critically important to all of the nearly 37,000 associates at Wawa. We take this special relationship with you and the protection of your information very seriously. I can assure you that throughout this process, everyone at Wawa has followed our longstanding values and has worked quickly and diligently to address this issue and inform our customers as quickly as possible."
Although it remains too soon to evaluate the full extent of the Wawa breach, it seems clear the trend for hackers to target retail payment systems remains strong. The ever-growing list of high-profile data breaches makes it increasingly important for retailers to implement reasonable safeguards. Target suffered a similar breach in 2013 exposing 40 million sets of payment card data. Home Depot's 2014 breach exposed 50 million customers' data. Unfortunately, many U.S. gas stations are not obliged to fully upgrade to the enhanced security of chip-reading payment terminals until October 2020.
Cybersecurity liability is a modern legal reality. Even courts aren't immune from malware attacks. Last summer the Philadelphia court system e-filing system was shut down for over a month.
Patrick McKnight is a JD/MBA candidate at Rutgers University.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllCFPB Advisory Opinion Targets Illegal Medical Debt Collection Tactics
8 minute readMatt's Corner: Pa.R.D.E. 217—Obligations of a Formerly Admitted Attorney
2 minute readLaw Firms Mentioned
Trending Stories
- 1Mental Health Issues Don’t Get a Holiday
- 2'It's Got to Be a Wake-Up Call:' Atlanta Attorney Hopes $16M Verdict Spurs Training Changes at Hotels
- 3FTC Bans 'Junk Fees' in Live-Event Tickets and Short-Term Lodging
- 4California Legal Awards Moving to Mid-Summer Date in 2025, Adds New Categories
- 5Law Student Sues NY Attorney Grievance Officials, Seeking Materials Over Sexual Assault Claims
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250