The Christmas season is normally a time for shopping, celebrating, and exchanging gifts with loved ones. Instead, customers of Wawa convenience stores got a not-so-merry surprise just before the holidays. On December 19, 2019, the nationwide chain announced a massive data breach that compromised the credit and debit card data of thousands of customers. In the aftermath of the breach, several customers are suing the chain for negligence, claiming the company failed to take suitable security measures to protect sensitive data from cyberattacks.
Wawa is the latest in a string of major companies targeted by hackers who install malicious software to gain ongoing access to payment data. According to CEO Chris Gheysens, hackers used malware to breach the payment processing systems at in-store terminals and fuel stations across 850 locations. For unsuspecting customers who swiped their credit or debit cards, the breach potentially exposed their names, card numbers, and expiration dates — the only details needed for many online purchases. While the company isn’t sure which of its stores were affected, Gheysens assured the public that debit card PINs, CVV security codes, and ATM transactions weren’t compromised in the cyberattack.
In an apology letter on behalf of Wawa, Gheysens stated that the malware was introduced sometime after March 4, 2019, and wasn’t detected until December 10. With the help of forensic specialists and law enforcement, Wawa was able to contain the breach by December 12 and narrow down the nine-month timeframe when the intrusion likely took effect. Gheysens also announced that the company is offering one year of free credit monitoring and identity theft protection to safeguard customers from further threats. Unfortunately for some customers, the company’s efforts didn’t come soon enough.
As of December 29, 2019, Wawa is facing six lawsuits that may develop into a class action complaint. One data breach plaintiff, Tabitha Hans-Arroyo, says she lost access to her Capital One credit card funds on Christmas Eve when the company blocked a suspicious $2,535.15 charge. Like other victims of cyberattacks, Hans-Arroyo has to deal with the inconvenience of an account freeze during the holidays, as well as the lingering uncertainty about other data that could have been exposed.
The suit seeks to hold Wawa accountable for falling short of consumer protection laws and taking a “cavalier” approach to cybersecurity. In the meantime, other retail chains should learn from this recent data breach and be vigilant about conducting routine security checks and keeping up with the latest risk prevention recommendations from the Federal Communications Commission.