Wawa has agreed to pay $8 million to seven states after attorneys general sued the Delaware County-based convenience store chain over a hack that potentially exposed millions of people's credit and debit cards to digital thieves, according to a statement by Attorney General Josh Shapiro on Tuesday.
Malware running on Wawa's computer servers between April and December 2019 exposed more than 9.1 million payment cards to hackers, according to Shapiro's office.
Pennsylvania will get $2.5 million of the settlement. New Jersey and five other states will also receive payments. The money will go to the attorney general's office to pay, in part, for attorney's and court fees. The settlement agreement did not specify if any Wawa customers would receive any of the settlement money. A class action lawsuit was filed by customers in late December 2019 after the breach became public. The status of that suit could not immediately be determined Tuesday.
Wawa also agreed to "develop, implement, and maintain a comprehensive information security program ... that is reasonably designed to protect the security, integrity, and confidentiality of Sensitive Personal Information Wawa collects, stores, transmits and/or maintains," according to the settlement.
“Today’s settlement will help protect Pennsylvanians personal information going forward and will hold Wawa accountable for the data breach that occurred on their watch,” Shapiro said. “Thanks to this work Wawa will adopt new corporate policies to deter data breaches in the future. Every corporation that does business in Pennsylvania needs to stay alert and protect their customer’s personal data or they will have to answer to my office.”