Wawa Pays PA, Others $8 Million in Data Breach Deal

A Wawa fueling station (at top) in Chester County

HARRISBURG PA – Wawa Inc. – the convenience store and fuel chain with local operations in Pottstown, Gilbertsville, Royersford, Spring City, Douglassville, Zieglerville, Schwenksville, Collegeville and Harleysville – will pay $8 million in a settlement agreement with seven states to resolve a December 2019 data breach. It also agreed to beef up security practices and safeguard customer information.

Pennsylvania will collect $2.525 million, the largest share under the settlement, state Attorney General Josh Shapiro said Tuesday (July 26, 2022). Delaware, Florida, Maryland, New Jersey, Virginia, and District of Columbia will divide the remainder. Consumers benefit from some assurance that their personal information in Wawa’s databases will be protected in the future, Shapiro claimed.

He said about 34 million payment cards, and of those 9.1 million in Pennsylvania, used across all of Wawa’s hundreds of stores were compromised between April and December 2019. That’s when hackers attacked its network, installed harmful software on company payment processing servers, and obtained access to customers’ payment card information.

An investigation, begun after Wawa notified the state of the data breach, concluded the company “failed to employ reasonable security measures,” according to Shapiro. The settlement requires it to adopt a detailed list of five new corporate policies intended to deter future incidents. It also holds “hold Wawa accountable for the data breach that occurred on their watch,” he added.

File photo by The Post