Wawa will pay New Jersey $2.5 million as part of a multistate settlement after a security breach exposed data about 34 million payment cards in 2019.
The convenience store and gas station company will also have to take several steps to harden its security over the next year, New Jersey's acting Attorney General Matthew J. Platkin said when announcing the lawsuit settlement Tuesday.
New Jersey had been among the states hardest hit by the breach, according to state officials. From April through December 2019, 27.2% of all of the company's payment card transactions were at New Jersey stores. Another 27% were in Pennsylvania. Customers in Florida, Virginia, Maryland, Delaware and Washington, D.C. were also affected. Collectively, they'll split an $8 million settlement.
“This settlement is as important for the strengthened cybersecurity measures it requires as for the dollars Wawa must pay,” Platkin said in an announcement from his office.
He said the settlement "should serve as a message to the industry that we are serious about holding businesses accountable when they fail to protect consumers’ sensitive personal information.”
In 2019, malware that might have been opened by a Wawa employee collected customers' names, card numbers and card expiration dates, Platkin's office said. The malware didn't collect PINs or CVV2 codes — the security codes found on the back of credit cards. Payments made with cards that use chip technology also weren't affected.
The states suing Wawa alleged it violated consumer protection laws by failing to employ reasonable security.
Wawa will be required to create a comprehensive information security program within six months. Within the next year, it also must obtain an information security compliance assessment and related report from a third-party professional. That assessment will be shared with state officials.