Consumers who used a payment card at a Wawa between March 4 and December 12, 2019 can file a claim here.
All claims must be submitted either online or by mail by November 29, 2021.
Don’t miss out on settlement news like this. Sign up for ClassAction.org’s free weekly newsletter here.
August 2, 2021 – Settlement Granted Preliminary Approval
The settlement detailed below has received a judge’s stamp of preliminary approval after the parties agreed to implement several recommended changes to the proposed plan for notifying those covered by the deal.
Although there were objections raised by the employee plaintiffs, who are represented by the plaintiffs in the case detailed on this page, U.S. District Judge Gene E.K. Pratter disagreed with the objectors’ concerns and found that the proposed deal is “fair, reasonable, and adequate” to the consumers it intends to cover.
As discussed below, and confirmed in a July 30 memo, the settlement will provide relief in the form of gift cards and cash payments. Those covered by the deal must file claims by November 29, 2021.
A dedicated settlement website will be set up by August 30, 2021, and a final approval hearing has been scheduled for January 26, 2022.
February 24, 2021 – Wawa Settles Data Breach Class Actions for $12 Million
Wawa has agreed to pay up to $12 million to settle class action litigation over a 2019 data breach.
According to a 41-page memo urging the court to preliminarily approve the deal, 22 million Wawa customers whose credit and/or debit cards were compromised in the breach may be entitled to one of three tiers of compensation, depending on their circumstances. Eligible Wawa customers may be able to receive a gift card of $5 or $15, or cash payments of up to $500.
Court documents state the $5 gift cards will be available to customers who used a debit or credit card to make a purchase at a Wawa between March 4 and December 12, 2019 (i.e., the relevant time period) and attest that they spent “at least some time monitoring their accounts as a result of the Data Security Incident.” Affected customers do not need to have experienced any actual or attempted misuse of their data in order to qualify for the first tier of relief, the court filing says.
Under the second tier, $15 gift cards will be available to customers who used a payment card to make a purchase at a Wawa during the relevant time period and who subsequently incurred a fraudulent charge or attempted fraudulent charge on their card, and spent “at least some time addressing the fraudulent transaction or otherwise monitoring their account.” For the proposed settlement’s third tier, cash payments capped at $500 may be available to Wawa customers who can demonstrate they paid out-of-pocket for certain costs related to the data breach, with the maximum total payment for these claims capped at $1 million in aggregate.
Lastly, the proposed settlement, which now awaits a judge’s initial approval, offers injunctive relief in the form of Wawa strengthening its payment processing environment via “enhancements” valued at no less than $35 million. Depending on the number of claims filed, the total value of $5 and $15 Wawa gift cards distributed through the settlement could reach an aggregate maximum of $8 million. The memo stresses that gift cards are an appropriate method of compensation given Wawa “maintains an unusually loyal base of repeat customers who routinely return to its 900+ stores,” adding that the majority of items for sale at Wawa cost less than $5.
“The Settlement compares favorably with settlements in similar data breach litigation and was reached only after intensive arm’s length negotiations before a skilled and engaged mediator,” the supporting memo reads.
A dedicated settlement website will be established for eligible Wawa customers to file claims for compensation. In addition, Wawa will post signage throughout its stores and at fuel pumps, issue a press release, and include details of the settlement on its website.
Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s free weekly newsletter here.
A former Wawa store manager alleges in a proposed class action that he was inappropriately fired in a “sheepish” effort by the convenience store and gas station chain to show it has finally begun to take the security of customers’ information seriously.
The plaintiff alleges that in the wake of the 2019 data breach, he and “likely hundreds” of other employees have been made scapegoats as the company and its co-defendants turn a more vigorous eye toward monitoring Wawa’s computer systems. Wawa, “after having slept at the wheel for years” with regard to cybersecurity, the 43-page lawsuit says, has left its own workers “caught in the crossfire” while it attempts to contain “the public relations nightmare” it’s faced since announcing the cyber incident last month.
Rather than investigate and bolster its data protection practices, Wawa and co-defendants Wild Goose Holding Co., along with a handful of current and former executives, have allegedly directed their ire at employees, who, according to the complaint, still have not been formally told their data was compromised in the breach. From the lawsuit:
Instead of trying to catch and prosecute the cybercriminals who have inflicted serious financial and emotional harm upon [the plaintiff] and his family, and likely hundreds of other Wawa employees and their families who are believed to have had their [personally identifiable information] compromised by the data breach but have yet to be informed by Wawa of the compromise of their [personally identifiable information], Wawa chooses to police only its employees, treating them like criminals in a military state if they fail to follow Wawa’s unwritten, but illegal, policies and procedures described more fully below.”
More broadly, the case charges Wawa and its higher-ups have “intentionally misrepresented the nature and scope” of the breach, claiming that only consumers’ information was compromised. Citing a Wawa job posting for an “incident response associate” made public 16 days before the company announced the data breach and an advisory from Visa issued last summer, the suit charges the Pennsylvania company knew about the incident far earlier than it let on.
Cutting Corners: “Save Money to Make More Money”
A pillar of the plaintiff’s lawsuit is what he describes as Wawa’s “unspoken credo” of saving money to make money. While this philosophy is in part responsible for turning Wawa into the successful business it’s become, the company’s profits have come “at the expense of its hard working employees and unwittingly loyal customers,” the suit says, adding that a company does not evolve from a mom-and-pop shop into a multi-billion-dollar corporation “without cutting a few corners.” In the plaintiff’s case, the lawsuit continues, Wawa’s apparent “passion for winning” has cost the man his job and his identity.
One of the corners cut by Wawa concerns the adequate safeguarding of customer and employee information, the plaintiff alleges. Wawa is said to have made the “deliberate” decision to maintain “antiquated information technology systems” ripe for attack by cyber criminals solely for cost-saving purposes. Plainly, the lawsuit alleges Wawa and its co-defendants negligently and incompetently allowed unauthorized parties to access personally identifiable customer and employee data “simply to try to save money for the company.”
A “Shameful” Coverup, Lawsuit Says
Forgotten in the rubble of the data breach is the fact that Wawa workers, who are required to provide the company with their home addresses, Social Security numbers and other confidential details upon being hired, also had their sensitive information compromised. To date, the case claims, Wawa employees still have not been informed by the company that their personal information was compromised and were, in fact, led to believe the opposite.
The plaintiff, who filed the case alongside his wife, claims he’s been grappling with thousands of dollars in erroneous charges made to new credit accounts wrongfully opened with the couple’s personal information. Those responsible for opening the fraudulent accounts, according to the suit, accessed the plaintiff and his wife’s information during the Wawa data breach and proceeded to “destroy” the couple’s credit.
As a result of Wawa’s neglect, new credit accounts have been opened in [his] name, using [the plaintiffs’] home address as the billing address, by unknown persons who used [the plaintiffs’] confidential PII Wawa was entrusted to secure. Thousands of dollars were billed to these accounts, and the bills were sent to [the plaintiffs’] home for payment.”
The plaintiff scathes that he and other Wawa employees were “intentionally deceived” by the company’s senior management for months about what was happening to their personally identifiable information. Wawa’s senior management is alleged to have known prior to the company’s announcement of the breach on December 19 that its computer systems had been accessed by cyber criminals. The plaintiff says that on the day of Wawa’s announcement of the data breach, he was ordered to go into his store on his day off to await further instructions from management “only to sit … idly by for hours” for direction that never came.
As the plaintiff tells it, the defendants shaped the narrative of the data breach to frame it as though only consumers were affected. The truth, the plaintiff alleges, is that the incident involved Wawa employees just the same, as the workers too had their information left out in the open for hackers. More from the complaint:
On December 19, 2019, neither [the plaintiff] nor any of the other Wawa GMs were advised that their employee [personally identifiable information] had been compromised, and that the Wawa computer systems were invaded by cybercriminals who had access to their employee [personally identifiable information]. Instead, [the defendants], believed to be with the knowledge, approval and consent of [co-defendants], willfully misrepresented the nature and scope of the data breach as being limited only to consumer credit card information due to malware, and willfully deceived Wawa employees that they had nothing to worry about as it concerned their employee [information] in the care of Wawa. That deception allowed the loss of Wawa employee [information] to continue unabated, and caused continuing harm to [the plaintiffs], including the drop in [the plaintiff’s] credit score.”
According to Law360, the plaintiffs’ attorney said Wawa has amplified its focus on its computer systems in the wake of the data breach. The plaintiff was caught in that wave, Law360 reports, as the man was fired reportedly after making changes to the overtime hours of employees working under him. The plaintiff’s attorney told Law360 that the man had become “collateral damage” in Wawa’s campaign to show its concern for cybersecurity as the result of changing workers’ overtime hours to comply with the company’s own policy of limiting the amount of overtime an individual can work.
“They’re monitoring the system too tightly because of the hackers, and that’s how he got red-flagged,” the plaintiffs’ attorney told Law360. “He was doing what he was trained to do.”
“So what did Wawa do: nothing.”
The lawsuit alleges Wawa, despite knowing that something was happening to its computer systems, “stayed silent for weeks, if not months” before its CEO issued an open letter to consumers about the data breach. In addition to Wawa posting a job opening for an “incident response associate” on December 3, the case claims Visa, one of Wawa’s largest financial services vendors and direct partners, also issued an advisory to the company in mid-November 2019. The notice stated that gas stations, such as those operated by the defendant, had emerged as “attractive targets for cybercriminals” given the sluggishness with which they’ve adopted more-secure payment processing technology. Gas stations like those owned by Wawa, the suit continues, were even hit with two data breaches in the summer of 2019, which Visa stressed called for companies to bolster their security.
Rather than heed Visa’s warning, Wawa instead did nothing, the suit says, choosing to maintain the status quo rather than pay to implement better cybersecurity safeguards. Further, Wawa created what the plaintiff calls an “information vacuum” by withholding the data breach threat from its employees and downplaying the severity of the incident.
“Had Wawa taken appropriate steps at the appropriate time, the [plaintiffs’] [personally identifiable information] would not have [been] stolen and used against them,” the case argues.
Who does the lawsuit cover?
The suit seeks to cover all current and former Wawa employees and their spouses who, beginning in at least March 2019 and continuing through the present, had their personal information accessed, disseminated and/or used by unauthorized parties as a result of the breach of Wawa’s computer systems.
The complaint can be read below. ClassAction.org’s coverage of the wave of lawsuits filed over the Wawa data breach can be found here.
New cases and investigations, settlement deadlines, and news straight to your inbox.
A note on class action complaints:
Bear in mind that the information in this blog post summarizes the allegations put forth in the following legal complaint. At the time of this writing, nothing has been proven in court. Anyone can file a lawsuit, with or without the representation of an attorney, for any reason, and ClassAction.org takes no position on the merits of the suit. Class action complaints are a matter of public record, and our objective on this website is merely to share the information in these legal documents in an easily digestible way.