A 2019 data breach at Wawa stores, which compromised approximately 34 million payment cards used by consumers to buy food, gas and other items at Wawa convenience stores and gas stations, has resulted in a $28.5 million direct monetary compensation settlement.
- Wawa is No. 9 on CSP’s 2023 Top 40 update of the largest U.S. convenience-store chains by company-owned store count.
Financial institution plaintiffs—Inspire Federal Credit Union, Insight Credit Union and Greater Cincinnati Credit Union—sought authorization of a settlement with Wawa to resolve the class action on behalf of themselves and other payment card issuers. This settlement is the product of more than a year of negotiations among the parties and reflects a comprehensive plan to compensate settlement class members for the harms resulting from Wawa’s data security incident, court documents say.
Parties reached an agreement to settle the matter in August 2022. After finalizing a term sheet on Aug. 26, the parties worked to craft a comprehensive settlement agreement, solicit proposals from settlement administrators, draft the proposed notices, claim form and proposed orders, and negotiate terms for the contemplated escrow accounts. Wawa executed the settlement on March 3.
Wawa’s contribution
Wawa has committed a total of up to $28.5 million to compensate for the data breach, according to a settlement document from the U.S. District Court of the Eastern District of Pennsylvania. This includes up to $18.5 million for costs associated with cancelling and replacing payment cards; up to $8 million for losses resulting from payment card fraud; and up to $2 million to be distributed to individuals that attest to incurring other costs.
In addition to this direct compensation to settlement class members, Wawa will pay up to $9 million toward the costs of notice and administration, attorneys’ fees and expense reimbursements and service awards to the financial institutions for their service as class representatives. Wawa declined a request from CSP to comment on the latest court actions.
Payment tiers
The first settlement class tier includes members of financial institutions who attest to having cancelled and replaced the effected cards in response to the data security incident between Dec. 12, 2019, and May 1, 2020. Financial institutions can receive $5 per replaced card.
Wawa has committed a minimum of $3 million and maximum of $18.5 million for Settlement Class Members that file claims in this tier.
Tier two provides up to $4,000 per financial institution to compensate for fraudulent charges reflected in reasonable documentation. Payments under tier two have a total cap of $8 million.
Tier three provides class members an option, in the alternative to tiers one and two, to make a claim without documentation. The claim value will be a fixed amount for each person, calculated by dividing $2 million by the final number of class members.
The tier three fixed value will also be used as a minimum claim value, such that if a class member submits a claim under tier one or tier two, and the value of that claim does not exceed the tier three fixed value, then the class member will receive the tier three claim value instead.
Background
The data breach extracted consumer payment-card data, including customers’ card numbers, expiration dates and cardholder names, from transactions that took place between April 18, 2019, and Dec. 12, 2019, and affected stores in New Jersey and five other states—Pennsylvania, Florida, Delaware, Maryland and Virginia—as well as Washington, D.C.
During that period, approximately 27.2% of all Wawa payment-card transactions occurred in stores in New Jersey, while another 27% occurred at Wawa locations in Pennsylvania. Company stores in Florida had the next highest percentage of overall payment card transactions (22.1%), followed by Virginia (11.4%), Maryland, (6.4%), Delaware (5.6%) and Washington, D.C. (0.2%).
The Wawa data breach occurred after hackers gained access to Wawa’s computer network in 2019 by deploying malware that may have been opened by a company employee, records show.
A few months later, the hackers deployed malware that allowed them to obtain magnetic stripe data from cards processed at Wawa’s point-of-sale (POS) terminals inside the stores, as well as at the outside fuel pumps, according to court documents.
The malware harvested Wawa customers’ card numbers, expiration dates, cardholder names and other sensitive payment card data. It did not collect personal identification numbers (PINs) or credit card CVV2 codes (the three- or four-digit security codes printed on the back of the card). Payment cards using chip technology were not compromised.
Wawa, Pennsylvania-based Wawa has more than 950 c-stores in Pennsylvania, New Jersey, Delaware, Maryland, Virginia, Florida and Washington, D.C.