Content, Governance, Risk and Compliance, Ransomware

Wawa Data Breach Update: Consumers File Lawsuits Post Cyberattack

Wawa, a U.S. convenience and gas store chain, faces at least six lawsuits related to a data breach it suffered earlier this year, according to The Philadelphia Inquirer. The lawsuits indicate that millions of Wawa customers may have been affected by the data breach and seek damages and legal fees of more than $5 million.

The lawsuits allege that Wawa did not adequately secure its computer systems against malware that compromised credit and debit cardholder names, numbers and expiration dates used in-store and at gas pumps, The Philadelphia Inquirer reported. They also accuse Wawa of violating state consumer protection laws, as well as negligence and breach of contract.

A Closer Look at the Wawa Cyberattack

Wawa's information security team discovered malware on the company's payment processing servers on December 10 and contained it by December 12. However, malware that affected Wawa customer payment card information may have been present on the company's systems as early as March 4, CEO Chris Gheysens wrote in a letter to customers.

Malware began running on Wawa's in-store payment processing systems at potentially all Wawa locations after March 4, Gheysens indicated. By April 22, this malware was present on most Wawa systems.

Wawa Responds to the Cyberattack

Wawa has blocked and contained the malware responsible for the data breach and believes the malware no longer poses a risk to customers using payment cards at its locations, Gheysens noted. The company has engaged an external forensics firm to investigate the security incident and is working with law enforcement as part of a criminal investigation as well.

In addition, Wawa has set up a dedicated toll-free call center to answer customer questions about the data breach. Wawa also is providing free credit monitoring and identity theft protection to those who may have been affected by the security incident.

Wawa owns and operates 850 stores across six states and the District of Columbia. The company totaled more than $12 billion in revenues last year.

Dan Kobialka

Dan Kobialka is senior contributing editor, MSSP Alert and ChannelE2E. He covers IT security, IT service provider business strategies and partner programs. Dan holds a M.A. in Print and Multimedia Journalism from Emerson College and a B.A. in English from Bridgewater State University. In his free time, Dan enjoys jogging, traveling, playing sports, touring breweries and watching football.