Wawa, a U.S. convenience and gas store chain, faces at least six lawsuits related to a data breach it suffered earlier this year, according to The Philadelphia Inquirer. The lawsuits indicate that millions of Wawa customers may have been affected by the data breach and seek damages and legal fees of more than $5 million.
The lawsuits allege that Wawa did not adequately secure its computer systems against malware that compromised credit and debit cardholder names, numbers and expiration dates used in-store and at gas pumps, The Philadelphia Inquirer reported. They also accuse Wawa of violating state consumer protection laws, as well as negligence and breach of contract.
A Closer Look at the Wawa Cyberattack
Wawa's information security team discovered malware on the company's payment processing servers on December 10 and contained it by December 12. However, malware that affected Wawa customer payment card information may have been present on the company's systems as early as March 4, CEO Chris Gheysens wrote in a letter to customers.
Malware began running on Wawa's in-store payment processing systems at potentially all Wawa locations after March 4, Gheysens indicated. By April 22, this malware was present on most Wawa systems.
Wawa Responds to the Cyberattack
Wawa has blocked and contained the malware responsible for the data breach and believes the malware no longer poses a risk to customers using payment cards at its locations, Gheysens noted. The company has engaged an external forensics firm to investigate the security incident and is working with law enforcement as part of a criminal investigation as well.
In addition, Wawa has set up a dedicated toll-free call center to answer customer questions about the data breach. Wawa also is providing free credit monitoring and identity theft protection to those who may have been affected by the security incident.
Wawa owns and operates 850 stores across six states and the District of Columbia. The company totaled more than $12 billion in revenues last year.