A former Wawa store manager alleges in a proposed class action that he was inappropriately fired in a “sheepish” effort by the convenience store and gas station chain to show it has finally begun to take the security of customers’ information seriously.
The plaintiff alleges that in the wake of the 2019 data breach, he and “likely hundreds” of other employees have been made scapegoats as the company and its co-defendants turn a more vigorous eye toward monitoring Wawa’s computer systems. Wawa, “after having slept at the wheel for years” with regard to cybersecurity, the 43-page lawsuit says, has left its own workers “caught in the crossfire” while it attempts to contain “the public relations nightmare” it’s faced since announcing the cyber incident last month.
Rather than investigate and bolster its data protection practices, Wawa and co-defendants Wild Goose Holding Co., along with a handful of current and former executives, have allegedly directed their ire at employees, who, according to the complaint, still have not been formally told their data was compromised in the breach. From the lawsuit:
Instead of trying to catch and prosecute the cybercriminals who have inflicted serious financial and emotional harm upon [the plaintiff] and his family, and likely hundreds of other Wawa employees and their families who are believed to have had their [personally identifiable information] compromised by the data breach but have yet to be informed by Wawa of the compromise of their [personally identifiable information], Wawa chooses to police only its employees, treating them like criminals in a military state if they fail to follow Wawa’s unwritten, but illegal, policies and procedures described more fully below.”
More broadly, the case charges Wawa and its higher-ups have “intentionally misrepresented the nature and scope” of the breach, claiming that only consumers’ information was compromised. Citing a Wawa job posting for an “incident response associate” made public 16 days before the company announced the data breach and an advisory from Visa issued last summer, the suit charges the Pennsylvania company knew about the incident far earlier than it let on.
Cutting Corners: “Save Money to Make More Money”
A pillar of the plaintiff’s lawsuit is what he describes as Wawa’s “unspoken credo” of saving money to make money. While this philosophy is in part responsible for turning Wawa into the successful business it’s become, the company’s profits have come “at the expense of its hard working employees and unwittingly loyal customers,” the suit says, adding that a company does not evolve from a mom-and-pop shop into a multi-billion-dollar corporation “without cutting a few corners.” In the plaintiff’s case, the lawsuit continues, Wawa’s apparent “passion for winning” has cost the man his job and his identity.
One of the corners cut by Wawa concerns the adequate safeguarding of customer and employee information, the plaintiff alleges. Wawa is said to have made the “deliberate” decision to maintain “antiquated information technology systems” ripe for attack by cyber criminals solely for cost-saving purposes. Plainly, the lawsuit alleges Wawa and its co-defendants negligently and incompetently allowed unauthorized parties to access personally identifiable customer and employee data “simply to try to save money for the company.”
A “Shameful” Coverup, Lawsuit Says
Forgotten in the rubble of the data breach is the fact that Wawa workers, who are required to provide the company with their home addresses, Social Security numbers and other confidential details upon being hired, also had their sensitive information compromised. To date, the case claims, Wawa employees still have not been informed by the company that their personal information was compromised and were, in fact, led to believe the opposite.
The plaintiff, who filed the case alongside his wife, claims he’s been grappling with thousands of dollars in erroneous charges made to new credit accounts wrongfully opened with the couple’s personal information. Those responsible for opening the fraudulent accounts, according to the suit, accessed the plaintiff and his wife’s information during the Wawa data breach and proceeded to “destroy” the couple’s credit.
As a result of Wawa’s neglect, new credit accounts have been opened in [his] name, using [the plaintiffs’] home address as the billing address, by unknown persons who used [the plaintiffs’] confidential PII Wawa was entrusted to secure. Thousands of dollars were billed to these accounts, and the bills were sent to [the plaintiffs’] home for payment.”
The plaintiff scathes that he and other Wawa employees were “intentionally deceived” by the company’s senior management for months about what was happening to their personally identifiable information. Wawa’s senior management is alleged to have known prior to the company’s announcement of the breach on December 19 that its computer systems had been accessed by cyber criminals. The plaintiff says that on the day of Wawa’s announcement of the data breach, he was ordered to go into his store on his day off to await further instructions from management “only to sit … idly by for hours” for direction that never came.
As the plaintiff tells it, the defendants shaped the narrative of the data breach to frame it as though only consumers were affected. The truth, the plaintiff alleges, is that the incident involved Wawa employees just the same, as the workers too had their information left out in the open for hackers. More from the complaint:
On December 19, 2019, neither [the plaintiff] nor any of the other Wawa GMs were advised that their employee [personally identifiable information] had been compromised, and that the Wawa computer systems were invaded by cybercriminals who had access to their employee [personally identifiable information]. Instead, [the defendants], believed to be with the knowledge, approval and consent of [co-defendants], willfully misrepresented the nature and scope of the data breach as being limited only to consumer credit card information due to malware, and willfully deceived Wawa employees that they had nothing to worry about as it concerned their employee [information] in the care of Wawa. That deception allowed the loss of Wawa employee [information] to continue unabated, and caused continuing harm to [the plaintiffs], including the drop in [the plaintiff’s] credit score.”
According to Law360, the plaintiffs’ attorney said Wawa has amplified its focus on its computer systems in the wake of the data breach. The plaintiff was caught in that wave, Law360 reports, as the man was fired reportedly after making changes to the overtime hours of employees working under him. The plaintiff’s attorney told Law360 that the man had become “collateral damage” in Wawa’s campaign to show its concern for cybersecurity as the result of changing workers’ overtime hours to comply with the company’s own policy of limiting the amount of overtime an individual can work.
“They’re monitoring the system too tightly because of the hackers, and that’s how he got red-flagged,” the plaintiffs’ attorney told Law360. “He was doing what he was trained to do.”
“So what did Wawa do: nothing.”
The lawsuit alleges Wawa, despite knowing that something was happening to its computer systems, “stayed silent for weeks, if not months” before its CEO issued an open letter to consumers about the data breach. In addition to Wawa posting a job opening for an “incident response associate” on December 3, the case claims Visa, one of Wawa’s largest financial services vendors and direct partners, also issued an advisory to the company in mid-November 2019. The notice stated that gas stations, such as those operated by the defendant, had emerged as “attractive targets for cybercriminals” given the sluggishness with which they’ve adopted more-secure payment processing technology. Gas stations like those owned by Wawa, the suit continues, were even hit with two data breaches in the summer of 2019, which Visa stressed called for companies to bolster their security.
Rather than heed Visa’s warning, Wawa instead did nothing, the suit says, choosing to maintain the status quo rather than pay to implement better cybersecurity safeguards. Further, Wawa created what the plaintiff calls an “information vacuum” by withholding the data breach threat from its employees and downplaying the severity of the incident.
“Had Wawa taken appropriate steps at the appropriate time, the [plaintiffs’] [personally identifiable information] would not have [been] stolen and used against them,” the case argues.
Who does the lawsuit cover?
The suit seeks to cover all current and former Wawa employees and their spouses who, beginning in at least March 2019 and continuing through the present, had their personal information accessed, disseminated and/or used by unauthorized parties as a result of the breach of Wawa’s computer systems.
The complaint can be read below. ClassAction.org’s coverage of the wave of lawsuits filed over the Wawa data breach can be found here.