DE & MD to Share in Multistate Settlement with Wawa Over 2019 Data Breach
Delaware and 6 other states will receive $8-million in a settlement with Wawa. This resolves a December 2919 data breach that compromised about 34-million payment cards used at Wawa stores. Delaware will receive approximately $450,000 through the settlement. Maryland was also a part of the settlement and will receive over $483,000 through the settlement. Also under the settlement, Wawa has agreed to a series of provisions designed to strengthen its data security practices.
The data breach occurred after hackers gained access to Wawa’s computer network through a phishing attack in late 2018 and later deployed malware on Wawa’s point-of-sale terminals. The malware extracted Wawa customers’ sensitive payment card information between April 18, 2019 and December 12, 2019, affecting stores in each of the six states where Wawa operates—New Jersey, Pennsylvania, Florida, Delaware, Maryland, and Virginia—as well as Washington, D.C. Approximately 1.2 million cards were used in Delaware during the time of the breach.
The participating Attorneys General allege that Wawa failed to employ reasonable information security measures to prevent such a data breach, and therefore violated state consumer protection and personal information protection laws. Under the settlement, Wawa makes no admission of wrongdoing or liability.
In addition to the $8 million payment to the states, Wawa has agreed to implement and maintain a series of data security practices designed to strengthen its information security program and safeguard the personal information of consumers.
Specific information security provisions agreed to in the settlement include:
● Maintaining a comprehensive information security program designed to protect consumers’ sensitive personal information;
● Providing resources necessary to fully implement the company’s information security program;
â—Ź Providing appropriate security awareness and privacy training to all personnel who have key responsibilities for implementation and oversight of the information security program.
This matter was handled for the Delaware Department of Justice by its Consumer Protection Unit.  Â
Â
