in Newswire December 23, 2019

Wawa Hit with Class Action Lawsuit Over Nine-Month Data Breach

by Corrado Rizzi

Last Updated on December 23, 2019

View Comments

Kaufman v. Wawa, Inc.

Filed: December 23, 2019 § 2:19-cv-06032

Read Complaint

A class action alleges Wawa could have done more to properly safeguard customers' payment card details during a months-long 2019 data breach.

Defendant(s)

Wawa, Inc.

Law(s)

State(s)

Pennsylvania

Wawa, Inc. has been hit with a proposed class action lawsuit over a data breach that affected the New Jersey convenience store and gas station operator’s systems across six states from March through December 2019. While the exact number of consumers affected by the cyber incident has not been disclosed, the 35-page complaint decries Wawa’s alleged failure to both secure and safeguard customers’ personally identifiable information (PII) and provide timely notice to those whose personally identifiable details were stolen.

According to the suit, Wawa, which oversees more than 750 convenience stores, has confirmed malware was discovered on its payment processing servers at possibly all of its locations “beginning at different points in time” after March 4, 2019, and continuing through December 12. The complaint states information accessed during the data breach primarily included credit and debit card numbers, expiration dates and cardholder names used at Wawa stores’ payment terminals and fuel dispensers. 

The plaintiff, a Florida resident, stresses that despite discovering the breach on December 10, Wawa has yet to “inform the public why it delayed” notifying consumers. According to the case, it wasn’t until December 19 that Wawa’s CEO, in an open letter to customers, disclosed that the company believed the malware “no longer poses a risk” to payment card users while assuring that none of the defendant’s ATMs were at risk. 

The case charges Wawa “knew, or reasonably should have known,” of the highly sensitive nature of the payment card information collected at its stores. The company should have similarly known that such information is “highly susceptible to attack” and unauthorized use by bad actors, the suit says. 

From the complaint: 

“Wawa disregarded the rights of Plaintiff and Class members by intentionally, willfully, recklessly, or negligently failing to take adequate and reasonable measures to ensure its data systems were protected, failing to disclose to its customers the material fact that it did not have adequate computer systems and/or payment processor servers and security practices to safeguard PII, failing to take available steps to prevent and stop the breach from ever happening, and failing to monitor and detect the breach on a timely basis.”

Per the suit, those affected by the Wawa data breach are at a heightened risk of identity theft and must bear the additional cost of identity theft detection and prevention, among other damages. 

The lawsuit looks to cover a class of all consumers in the U.S. whose personally identifiable information was acquired by unauthorized persons in the Wawa data breach announced December 2019.

This browser does not support PDFs. Please download the PDF to view it: Download PDF.
Open Document
Last Updated on December 23, 2019 — 4:12 PM

Corrado Rizzi

corrado@classaction.org

Corrado Rizzi is the Managing Editor and a writer for ClassAction.org.

About ClassAction.org

ClassAction.org is a group of online professionals (designers, developers and writers) with years of experience in the legal industry.

Learn More

Before commenting, please review our comment policy.