HI INDIA NEWS DESK
NEW JERSEY, NJ — Wawa agreed to pay $8 million to end an investigation into a 2019 data breach that impacted 34 million customers, including patrons in New Jersey stores, officials announced. New Jersey will receive about $2.5 million as part of the multistate settlement.
Wawa failed to employ “reasonable” information-security measures to prevent the massive data breach, according to New Jersey Acting Attorney General Matthew J. Platkin and Pennsylvania Attorney General Josh Shapiro.
This is the third-largest credit card-breach settlement brought against a corporation by a group of attorneys general — behind only Target’s $18.5 million deal in 2017 and Home Depot’s $17.5 million agreement in 2020, according to Shapiro.
Wawa’s data breach sparked an FBI investigation and had previously led to Wawa disbursing $9 million in cash and customer gift cards following a class action lawsuit. The company failed to take appropriate measures that would’ve stopped hackers from putting malware on the company’s payment processing servers, officials said.
As a result, the malware gave hackers access to Wawa customer information between April 18 to Dec. 12, 2019. New Jersey stores represented 27.2 percent of all Wawa card transactions during that period — more than any other state and just ahead of Pennsylvania’s 27 percent.
The recent settlement’s terms require Wawa to create a comprehensive information security program within six months. A credentialed expert in the field must oversee the program, which will have to include security awareness training for all Wawa personnel with key responsibilities for its implementation.
Additionally, the program must incorporate data protection “Best Practices,” while also employing controls to ensure company systems are only accessible to those with appropriate credentials. Controls include multi-factor authentication, one-time passcodes and location-specific requirements.
Within one year, Wawa also must obtain an information security compliance assessment and related report from a certified third-party professional. The report must be shared with the New Jersey Attorney General’s Office.
The lawsuit also included attorneys generals from Delaware, Florida, Maryland, Virginia and the District of Columbia.