BALTIMORE — Maryland Attorney General Brian E. Frosh and six other attorney generals announced today that they obtained an $8 million settlement with Wawa to resolve a Dec. 2019 data breach that compromised 34 million payment cards used at Wawa stores.
Wawa, the gas station, agreed to a series of data security practices designed to strengthen its information security program and safeguard consumers' personal information.
In 2018, the Wawa date branch was compromised when a hacker hacked their computer network, which later deployed malware on Wawa’s point-of-sale terminals.
The malware gains the customer's personal card information between April 18, 2021, and Dec. 12, 2019, in each of these six states: New Jersey, Pennsylvania, Florida, Delaware, Maryland, and Virginia – as well as Washington, D.C.
“Our office remains committed to protecting the data security of all Marylanders. Our laws require businesses to guard the personal information of their customers. We will continue to enforce those laws to protect that personal information from unlawful use or disclosure,” said Attorney General Frosh.
Maryland will receive $483,057 from the settlement. The attorneys general of Delaware, the District of Columbia, Florida, Pennsylvania, New Jersey, and Virginia are Joining Attorney General Frosh in the investigation and today's settlement.
Under the settlement, Wawa has agreed to several provisions to strengthen its data security practices. These include:
- Maintaining a comprehensive information security program designed to protect consumers’ sensitive personal information;
- Providing resources necessary to fully implement the company’s information security program;
- Providing appropriate security awareness and privacy training to all personnel who have key responsibilities for implementation and oversight of the information security program;
- Employing specific security safeguards with respect to logging and monitoring, access controls, file integrity monitoring, firewalls, encryption, comprehensive risk assessments, penetration testing, intrusion detection, and vendor account management; and
- Consistent with previous state data breach settlements, the company will undergo a post settlement information security assessment that, in part, will evaluate its implementation of the agreed upon information security program.