Wawa Faces Lawsuits After Data Breach
Wawa has said it reported its large-scale data breach to the FBI and doesn’t know who launched the cyberattack.
Wawa, which operates more than 850 convenience stores in six states and Washington, DC, is facing at least six lawsuits claiming the company failed to protect consumers from a recent data breach that exposed credit and debit card information, according to The Philadelphia Inquirer.
The lawsuits, seeking class-action status, have been filed in federal court in Philadelphia. They allege that Wawa failed to adequately secure its computer systems from hackers who installed malware potentially affecting all Wawa locations.
The lawsuits accuse Wawa of negligence, breach of contract and violations of state consumer protection laws, according to The Inquirer. The suits seek unspecified damages and lawyers fees, but all agree the issue involves more than $5 million.
Wawa found malware on its payment processing servers on Dec. 10 and contained it by Dec. 12, the company said. The malware had been running on its systems since March 4 and was on most of its store systems by April 22, CEO Chris Gheysens said in a statement.
Wawa has said it reported its large-scale data breach to the FBI and doesn’t know who launched the cyberattack.
“We continue to work with top security experts to take steps to enhance the security of our systems and to support law enforcement in their ongoing investigation.” the company said in a statement.
Wawa said the information is limited to payment card information, including debit and credit card numbers, expiration dates and cardholder names, but does not include PINs or CVV2 numbers. The ATMs in Wawa stores were not impacted by this incident.
Wawa is offering identity protection and credit monitoring services at no charge to customers. The company has also established resources to answer customers’ questions, including a dedicated call center that can be reached at 1-844-386-9559, Monday through Friday, between 9 a.m. and 9 p.m. Eastern Time or Saturday and Sunday between 11 a.m. and 8 p.m., excluding holidays.
A detailed notice and open letter to customers from Wawa’s CEO notifying potentially affected individuals about the incident is available at www.wawa.com/alerts/data-security.
“At Wawa, the people who come through our doors are not just customers, they are our friends and neighbors, and nothing is more important than honoring and protecting their trust,” said Gheysens. “Once we discovered this malware, we immediately took steps to contain it and launched a forensics investigation so that we could share meaningful information with our customers. I want to reassure anyone impacted they will not be responsible for fraudulent charges related to this incident. To all our friends and neighbors, I apologize deeply for this incident.”
Gloss