The class-action lawsuit was filed last week in the U.S. District Court for the Eastern District of Pennsylvania and brought forward several people who claim they were impacted by the months-long data breach that was fueled by malware that first came to Wawa’s attention earlier this month.
The lawsuit lays out the scope of the breach that may have impacted all of Wawa’s more than 850 location across the East Coast and the impact it could have on customers. The lawsuit also stated Wawa had an obligation to protect customer information.
“Wawa was … fully aware of its data protection obligations in light of its participation in the payment card processing networks and its daily collection and transmission of thousands of sets of card information,” according to the lawsuit.
The lawsuit further said company “security flaws run afoul of industry best practices and standards.”
Earlier this month, Wawa said in a letter to customers that a “data security incident” compromised all credit and debit card information used at potentially all of the family-owned chain locations between March 4 and last Thursday. The ATM cash machines were not impacted.
“Based on our investigation to date, this malware affected payment card information, including credit and debit card numbers, expiration dates, and cardholder names on payment cards used at potentially all Wawa in-store payment terminals and fuel dispensers beginning at different points in time after March 4, 2019 and ending on December 12, 2019. Most locations were affected as of April 22, 2019, however, some locations may not have been affected at all. No other personal information was accessed by this malware. Debit card PIN numbers, credit card CVV2 numbers (the three or four-digit security code printed on the card), other PIN numbers, and driver’s license information used to verify age-restricted purchases were not affected by this malware,” the Wawa statement said.
Chris Gheysens, Wawa’s CEO, said the company planned to help customers who were impacted.
“Once we discovered this malware, we immediately took steps to contain it and launched a forensics investigation so that we could share meaningful information with our customers. I want to reassure anyone impacted they will not be responsible for fraudulent charges related to this incident. To all our friends and neighbors, I apologize deeply for this incident,” he said.
Following the announcement of the breach, here’s what Wawa said customers can do:
Review Your Payment Card Account Statements. We encourage you to remain vigilant by reviewing your payment card account statements. If you believe there is an unauthorized charge on your payment card, please notify the relevant payment card company by calling the number on the back of the card. Under federal law and card company rules, customers who notify their payment card company in a timely manner upon discovering fraudulent charges will not be responsible for those charges.
Register for Identity Protection Services. We have arranged with Experian to provide potentially impacted customers with one year of identity theft protection and credit monitoring at no charge to you. Information about these services is available at www.wawa.com/alerts/data-security or call toll-free to 1-844-386-9559.
Order a Credit Report. If you enroll in the Experian service (at the phone number above) we are offering, you will have access to activity on your credit report. In addition, if you are a U.S. resident, you are entitled under U.S. law to one free credit report annually from each of the three nationwide consumer reporting agencies. To order your free credit report, visit www.annualcreditreport.com or call toll-free at 1-877-322-8228.