Md. Attorney General announces multistate settlement with Wawa over 2019 data breach

MARYLAND – Attorney General Brian Frosh has announced that Maryland is part of a multistate settlement with Wawa over a 2019 data breach.

The $8 million settlement resolves a December 2019 data breach that compromised approximately 34 million payment cards used at Wawa stores. We’re told Wawa has also agreed to a series of data security practices designed to strengthen its information security program and safeguard the personal information of consumers.

The Wawa data breach occurred after hackers gained access to Wawa’s computer network in late 2018 through a phishing attack and later deployed malware on Wawa’s point-of-sale terminals. The malware then extracted Wawa customers’ sensitive payment card information between April 18, 2019 and December 12, 2019, and affected stores in each of the six states where Wawa operates: New Jersey, Pennsylvania, Florida, Delaware, Maryland, and Virginia, as well as Washington D.C.

Under the settlement, Wawa has agreed to a series of provisions designed to strengthen its data security practices. These include:

• Maintaining a comprehensive information security program designed to protect consumers’ sensitive personal information
• Providing resources necessary to fully implement the company’s information security program
• Providing appropriate security awareness and privacy training to all personnel who have key responsibilities for implementation and oversight of the information security program
• Employing specific security safeguards with respect to logging and monitoring, access controls, file integrity monitoring, firewalls, encryption, comprehensive risk assessments, penetration testing, intrusion detection, and vendor account management
• The company will undergo a post-settlement information security assessment that, in part, will evaluate its implementation of the agreed upon information security program

Frosh says that Maryland will receive a total of $483,057 from the settlement. Joining AG Frosh in the investigation and today’s settlement are the attorneys general of Delaware, the District of Columbia, Florida, Pennsylvania, New Jersey, and Virginia.