On December 19, Wawa, Inc. a Pennsylvania-based convenience store and fuel service company with over 800 stores in Pennsylvania, Delaware, New Jersey, Maryland, Virginia and Florida, announced its payment processing systems were breached. Credit and debit card information was obtained from malware which was installed at some point after March 4, 2019 on Wawa’s computer systems. By April 22, 2019, nearly all of its stores were infected with this malware. Between these dates and December 12, 2019 when Wawa’s information technology (IT) team identified and blocked the malware, payment card information, including credit and debit card numbers, expiration dates, and cardholder names on payment cards used at Wawa in-store payment terminals and fuel dispensers had been compromised. According to the open letter authored by its CEO and posted on Wawa’s website, the data breach did not affect debit card PIN numbers, credit card CVV2 numbers (the three or four-digit security code printed on the card), other PIN numbers, and driver’s license information used to verify age-restricted purchases. Wawa is offering customers who believe their data has been breached free credit reporting service for one year.
The business community continues to be plagued by cyber crime. At Brouse we have successfully provided support to companies impacted by ransomware and other similar cyber incidents such as the one Wawa just experienced. We cannot underscore how important it is that you have a security team and plan in place to respond swiftly to data security incidents.
The exercise of identifying a security team and developing an incident response plan will not only help you be prepared for the logistics related to notification and recovery, but also will better prepare your organization for all the legal obligations owed to your customers, employees, vendors and government agencies in the event of an incident. Many states, including Ohio, have data privacy laws which require notification in certain situations to those whose data has been breached. Under the Ohio Data Protection Act, businesses that have a qualified and properly documented cyber security program may claim an affirmative defense against civil liability related to a data breach.
Incidents happen daily… Brouse McDowell urges companies to be proactive about corporate data security. No incident or network compromise is too small to ignore as hackers have been known to hold onto data for several months and then resurface when guards are down. Vigilance is critical when securing one of your most valuable resources—your data.