Wawa, Inc. has been hit with a proposed class action lawsuit over a data breach that affected the New Jersey convenience store and gas station operator’s systems across six states from March through December 2019. While the exact number of consumers affected by the cyber incident has not been disclosed, the 35-page complaint decries Wawa’s alleged failure to both secure and safeguard customers’ personally identifiable information (PII) and provide timely notice to those whose personally identifiable details were stolen.
According to the suit, Wawa, which oversees more than 750 convenience stores, has confirmed malware was discovered on its payment processing servers at possibly all of its locations “beginning at different points in time” after March 4, 2019, and continuing through December 12. The complaint states information accessed during the data breach primarily included credit and debit card numbers, expiration dates and cardholder names used at Wawa stores’ payment terminals and fuel dispensers.
The plaintiff, a Florida resident, stresses that despite discovering the breach on December 10, Wawa has yet to “inform the public why it delayed” notifying consumers. According to the case, it wasn’t until December 19 that Wawa’s CEO, in an open letter to customers, disclosed that the company believed the malware “no longer poses a risk” to payment card users while assuring that none of the defendant’s ATMs were at risk.
The case charges Wawa “knew, or reasonably should have known,” of the highly sensitive nature of the payment card information collected at its stores. The company should have similarly known that such information is “highly susceptible to attack” and unauthorized use by bad actors, the suit says.
From the complaint:
“Wawa disregarded the rights of Plaintiff and Class members by intentionally, willfully, recklessly, or negligently failing to take adequate and reasonable measures to ensure its data systems were protected, failing to disclose to its customers the material fact that it did not have adequate computer systems and/or payment processor servers and security practices to safeguard PII, failing to take available steps to prevent and stop the breach from ever happening, and failing to monitor and detect the breach on a timely basis.”
Per the suit, those affected by the Wawa data breach are at a heightened risk of identity theft and must bear the additional cost of identity theft detection and prevention, among other damages.
The lawsuit looks to cover a class of all consumers in the U.S. whose personally identifiable information was acquired by unauthorized persons in the Wawa data breach announced December 2019.