Wawa to pay up to $28.5M in data breach settlement

Dive Brief:

Convenience retailer Wawa has committed to pay up to $28.5 million to settle negligence claims stemming from a data breach that occurred in 2019, according to filings made in the U.S District Court, Eastern District of Pennsylvania.
Most of the settlement made with the three credit unions involved in the lawsuit will reimburse them for money spent canceling and replacing payment cards because of the breach, as well as losses from payment card fraud, according to the filings.
Wawa has been in settlement discussions with the financial institutions since November 2021, and general litigation over the breach has lasted more than three years.

Dive Insight:

In March 2019, hackers breached Wawa’s point-of-sale (POS) systems and installed malware on its payment terminals and fuel dispensers, allowing them to steal credit and debit card numbers, card expiration dates and cardholder names from nearly all of Wawa’s locations for the next nine months. The breach hit at least 30 million credit cards issued by about 5,000 financial institutions.

In January 2020, the credit unions — Inspire Federal Credit Union, Insight Credit Union, and Greater Cincinnati Credit Union — filed a class action suit, sparking three years of litigation. The financial institutions brought claims for negligence and declaratory and injunctive relief as they faced financial losses stemming from Wawa’s failure to take “adequate and reasonable measures to protect its point-of-sale (“POS”) payment terminals, fuel dispensers, and payment processing servers,” according to the filings.

On March 3, Wawa and the impacted financial institutions finally settled on terms. Separate from the settlement, Wawa will also pay up to an additional $9 million towards the financial institutions’ costs of notice and administration, attorneys’ fees and expense reimbursements, and service awards, according to the filings.

Although Wawa is now coming to terms with the financial institutions affected by the breach, this isn’t the first time the retailer has paid out from the data breach. In April 2022, Wawa agreed to a $12 million settlement for the nearly 22 million customers who were impacted by the breach. Three months later, the retailer agreed to an $8 million settlement split between Pennsylvania, New Jersey, Florida, Delaware, Maryland, Virginia and Washington, D.C.

Factoring in its latest payout, Wawa has now agreed to pay out about $48.5 million in settlements over the past year stemming from its 2019 data breach.

Wawa did not respond by press time to an inquiry from C-Store Dive for more details on its latest settlement.