Delaware will receive $450,000 out of an $8 million multi-state settlement with a Pennsylvania-based convenience store chain after a data breach compromised some 34 million payment cards.
Attorney General Kathy Jennings said Wawa Inc. failed to take reasonable security measures to prevent such a data breach and therefore violated state consumer protection and personal information protection laws.
Under the settlement, Wawa will not have to admit wrongdoing or liability.
According to Jennings, the data breach occurred after hackers gained access to Wawa’s computer network through a phishing attack in late 2018 and later deployed malware on Wawa’s point-of-sale terminals.
The malware extracted Wawa customers’ sensitive payment card information between April 18, 2019, and Dec. 12, 2019, affecting stores in each of the six states where Wawa operates — New Jersey, Pennsylvania, Florida, Delaware, Maryland, and Virginia — as well as Washington, D.C.
Approximately 1.2 million cards were used in Delaware during the time of the breach.
“This was excellent work by our Consumer Protection Unit and fellow Attorneys General offices,” Jennings said. “We will continue to hold businesses like Wawa accountable for their duty to protect our entrusted information from unlawful use or disclosure.”
In addition to the $8 million settlement, Wawa has agreed to implement the following security measures to prevent a data breach from happening again:
- Maintaining a comprehensive information security program designed to protect consumers’ sensitive personal information;
- Providing resources necessary to fully implement the company’s information security program;
- Providing appropriate security awareness and privacy training to all personnel who have key responsibilities for implementation and oversight of the information security program.
Share this Post