State Attorneys General settle with Wawa, Inc. for 2019 data breach that compromised approximately 34 million payment cards used by consumers.

On July 26, 2022, Acting New Jersey Attorney General Matthew J. Platkin announced that New Jersey is co-leading an $8 million multistate settlement with Wawa, Inc. (Wawa) that resolves a data breach that occurred from April 18, 2019 to December 12, 2019 and affected stores in New Jersey, Pennsylvania, Florida, Delaware, Maryland, Virginia and Washington DC. The data breach was the result of malware that was used by hackers to harvest Wawa customers’ card numbers, expiration dates, cardholder names and other sensitive payment card data (though cards using chip technology were not compromised). Notably, security card CVV2 codes and personal identification numbers were not collected. According to documents related to a private class action, the breakdown of consumer pay card transactions during the relevant period was as follows: approximately 27.2 percent in New Jersey, 27 percent in Pennsylvania, 22.1 percent in Florida, 11.4 percent in Virginia, 6.4 percent in Maryland, 5.6 percent in Delaware and 0.2 percent in Washington DC.

The Attorneys General found that potentially 34 million payment cards were compromised in the breach. The Assurance of Voluntary Compliance (AVC) sets forth additional findings, including (i) that upon investigation, the Payment Card Industry forensic investigator (PFI) found three violations of the Payment Card Industry Data Security Standard (PCI DSS); (ii) that Wawa’s Information Security team did not generate a log during the time period and is unable to produce a log for any alerts from its security information events management system prior to November 2019; and (iii) that Wawa failed to employ reasonable data security measures, thus violating the various states’ consumer protection acts and personal information protection acts. Wawa does not admit, agree with or concede any of the aforementioned findings.

As part of the AVC, Wawa must (i) develop, implement and maintain an information security program within 180 days; (ii) implement specific information security safeguards; (iii) have a third party prepare a settlement compliance assessment within one year; and (iv) pay $8 million in total to the states. Notable features of the AVC include:

  • Information Security Program. Wawa must develop, implement and maintain a written information security program (the Program) that is reviewed at least annually and that includes:
    • Documented methods and criteria for managing information security risks. Notably, Wawa is not required to curtail proper objectives or utility of its services, and the burden imposed by the safeguards must be proportionate to the risk reduced.
    • Annual comprehensive risk assessments for networks where sensitive personal information is stored. Additionally, risk assessments should occur after changes to the security of such networks that may significantly increase risks to consumers and must be “conducted by parties that are competent to model threats … and who may capably estimate risks that are created by those threats.”
    • Employing a qualified employee to oversee the Program and to advise the CEO and Board.
    • Conducting training that occurs at least annually for employees with key responsibilities for implementation and oversight of the Program.
  • Information Security Safeguards. Wawa is required to implement reasonable security for sensitive personal information that includes:
    • Reasonable knowledge of the actual and intended location and disposition of sensitive information.
    • Reasonable steps to ensure only approved software operates within its environment.
    • Segmenting of personal information from people, systems and networks outside the cardholder data environment (Wawa’s personnel, processes and technologies that store, process or transmit payment card information of consumers).
    • Reasonable measures to detect, investigate, contain, respond to, eradicate and recover from security incidents within reasonable time periods.
    • Reasonable implementation of access controls (e.g., multifactor authentication, one-time pass codes, etc.).
    • Implementing and maintaining a system designed to collect, manage and analyze security logs and monitor its cardholder data environment.
    • Compliance with PCI DSS and validating PCI DSS compliance as a Level 1 merchant/service provider through engaging a PCI qualified security assessor (QSA), resulting in delivery of a compliance report and attestation of compliance. Cooperation with this requirement includes providing all internal and external risk assessments unless protected by attorney-client privilege.
  • Settlement Compliance Assessment. Within one year, Wawa must obtain an information security compliance assessment from a third party that includes (i) a description of administrative, physical and technical safeguards maintained by Wawa; (ii) an explanation of the extent to which these safeguards are appropriate; (iii) an explanation of the extent to which the safeguards meet the needs of the Program; and (iv) identification of Wawa’s QSA for the purposes of PCI validation. According to the AVC, a PCI Report of Compliance meets the third-party assessment requirement.

Conclusion

The Wawa data breach and settlement highlight the importance of reviewing information security programs to ensure that they are adequate and include sufficient oversight, mechanisms for logging and capabilities to respond to potential security incidents. A notable feature of this breach that contributed to its severity is its nine-month duration. Businesses should ensure that they have adequate network security mechanisms in place, particularly with respect to detection and alerts to ensure that security incidents do not go undetected. Breaches that go undetected for long periods of time can cause significant consumer impact and may require costly settlements.

Additionally, this settlement highlights the importance of ensuring adherence to applicable standards like PCI DSS. Although PCI DSS compliance is enforced by major card brands, failure to comply with applicable industry standards may be an important component of regulatory investigations and their resolution. Businesses, in assessing their information programs, should be sure to review compliance with industry standards, identify and eliminate gaps where appropriate, and ensure employees are trained on relevant policies and procedures.