A proposed class action alleges Wawa, Inc. failed to protect customer payment information and timely inform those affected by a 2019 data breach that hit the payment terminals and fuel dispensers at the convenience store chain’s more than 850 locations.
Wawa discovered malware on its payment processing systems on December 10, 2019 and announced the discovery via press release on December 19, the lawsuit says. The company determined that the malware was most likely active since at least March and exposed the personally identifiable information, such as credit card numbers and expiration dates, of customers who used payment terminals at “potentially all Wawa locations.”
The case claims that Wawa failed to protect customers’ highly sensitive personal information when it neglected to “implement and maintain reasonable security procedures and processes.” Moreover, the plaintiff takes issue with Wawa’s failure to directly notify affected parties of the breach outside of issuing a press release. While the malware behind the breach hit Wawa store systems as early as March 2019, the lawsuit says, the company did not detect the intrusion until roughly nine months later, leaving consumers’ data vulnerable during that time.
“Without detailed disclosures to its customers, Plaintiff and other members of the class were unknowingly and unwittingly left exposed to continued misuse and the ongoing risk of misuse of their personal data for months,” the suit states.
According to the case, had Wawa provided timely notice of the data breach, proposed class members would have been able to take the steps needed to protect their information.
Instead, as a result of the defendant’s alleged negligence, the case claims, Wawa customers remain susceptible to identity theft and may be forced to spend time and money monitoring their accounts and remedying any potential fraud for years to come. As the case tells it:
“A consumer who has had [personally identifiable information] stolen and compromised may not see the full extent of harm until years after the initial data breach.”
The lawsuit looks to represent all persons in the U.S. who provided Wawa with personally identifiable information that was accessed, compromised, or stolen as a result of the breach.