Wawa has agreed to an $8 million settlement with seven attorneys general over a 2019 breach that is estimated to have affected 34 million payment cards.
The data breach affected stores in the District of Columbia, Delaware, Florida, Maryland, New Jersey, Pennsylvania, and Virginia from April 18, 2019, to Dec. 12, 2019. Hackers deployed malware on the company’s point-of-sale terminals, affecting in-store payments and payments at gas pumps.
The attorneys general jointly announced the settlement on Tuesday.
“Today’s settlement will help protect Pennsylvanians personal information going forward and will hold Wawa accountable for the data breach that occurred on their watch. Thanks to this work Wawa will adopt new corporate policies to deter data breaches in the future,” Pennsylvania Attorney General Josh Shapiro said in a statement.
States received their share of the $8 million based on how many cards were breached in their state.
Wawa said it was “pleased to have reached a resolution” and vowed to improve its security systems.
“Wawa responded promptly and followed all notice requirements with relevant authorities, in addition to cooperating fully with the attorneys general and all law enforcement officials to assist anyone impacted by the incident. From the outset, our focus has been to make this right for our customers and communities. We continue to take the necessary steps to safeguard our information security systems,” the company said in a statement.
The 2019 Wawa breach settlement was billed as the third-largest ever reached by state attorneys general, trailing settlements with Target and Home Depot.