WAWA, Pa. — Wawa is expected to pay customers affected by its 2019 data breach up to $9 million and spend an additional $35 million upgrading its cybersecurity assets, as first reported by The Philadelphia Inquirer.
- Wawa, based in Wawa, Pa., is No. 10 on CSP’s 2021 Top 40 update to the Top 202 ranking of c-stores by store count.
The $9 million customer payments includes up to $8 million in Wawa gift cards and up to $1 million in cash payments, according to the filed settlement pending approval by the judge overseeing the case.
"As part of the legal process, we have submitted required documents to the court and are awaiting approval from the judge of the notice plan," Wawa spokesperson Lori Bruce said in a statement provided to CSP Daily News. "Once the notice plan is approved, the details about the settlement will be available through a third-party settlement administrator and Wawa will issue a press release that will include the administrator’s contact information."
The data breach affected all Wawa stores, according to Chimicles Schwartz Kriner & Donaldson-Smith LLP (CSK&D), the Haverford, Pa.-based law firm representing consumers in the case. In addition to direct consumer payments, Wawa will pay $3.2 million in administration costs, attorney fees and expenses and other related costs.
Click here for the settlement announcement from CSK&D.
Wawa discovered malware in the company’s payment processing server on Dec. 10, 2019, and contained the breach by Dec. 12, 2019, according to a statement from Chris Gheysens, president and CEO of Wawa at the time. Gheysens also said the malware was present in the chain’s payment processing server since March 4, 2019. The company immediately started its own investigation and notified both law enforcement and payment card companies upon discovering the breach, according to Gheysens.
Shortly after the data breach was announced, CSPreported in Jan. 2020 that the illegal online marketplace known as Joker’s Stash began selling credit and debit card data stolen during Wawa’s nine-month data breach, according to Gemini Advisory, a New York-based fraud intelligence firm.