Between April and December 2019, hackers penetrated the computer systems of Wawa Inc. and installed malware that allowed them to obtain the payment card details of 34 million consumers in Delaware, the District of Columbia, Florida, Maryland, New Jersey, Pennsylvania and Virginia. Now, the attorneys general of those jurisdictions have entered into an Assurance of Voluntary Compliance with the company. It is the third largest attorneys general credit card breach settlement ever.
According to the attorneys general, Wawa, a privately held company that owns and operates over 850 convenience stores and gasoline stations, learned of the data breach on December 10, 2019, and neutralized the malware by December 12, 2019. The company later informed the public of the breach and the concomitant danger of fraud. When the breach occurred and while the malware was operating on Wawa’s network, the company’s Information Security Team did not generate a log of information events or alerts related to the incident. The Payment Card industry Forensic Investigator assigned to the incident found three violations of payment card industry data security standards. The attorneys general allege that Wawa failed to employ reasonable data security measures, and that the company’s conduct violated the personal information protection acts and consumer protection laws of the seven states and territories where Wawa operates. The relevant statutes are enumerated in Appendix A and B to the Assurance.
The Assurance of Voluntary Compliance requires that Wawa develop, implement and maintain a written comprehensive information security program that is reasonably designed to protect the security, integrity and confidentiality of sensitive personal information the company collects, stores and transmits.
The information security program must be developed and implemented within 180 days of execution of the Assurance of Voluntary Compliance, and must include:
- Documented methods for managing information security risks;
- Annual comprehensive risk assessments, and annual reviews of the effectiveness of the company’s information security program;
- Administrative, technical and physical safeguards commensurate with the size, complexity, and nature of Wawa’s operations, and the sensitivity of the personal information it maintains;
- Security awareness training for personnel with key responsibilities for implementation and oversight of the information security program;
Pursuant to the Assurance of Voluntary Compliance, Wawa must also employ a qualified individual to oversee the information security program. The company must conduct vulnerability assessments and penetration tests in order to understand the effectiveness of its safeguards against foreseeable threats, and it must implement reasonable controls to ensure that its systems are accessible only to those with appropriate credentials, including through network segmentation and multi-factor authentication and other security enhancements. In addition, Wawa must use industry-approved methods of encryption or tokenization to process cardholder data, and generally comply with the current version of the Payment Card Industry Data Security Standard published by the Payment Card Industry Security Standards Council.
Wawa is also required to engage a third party assessor who is a certified information systems security auditor or professional and who will produce an information security compliance assessment within one year. The assessment must describe the safeguards maintained by Wawa and the state of their implementation, and the company must take corrective action within a reasonable time to remedy any deficiencies identified in the assessment.
The monetary component of the Assurance of Voluntary Compliance requires that Wawa pay $8 million to the attorneys general, including over $2.5 million to New Jersey and Pennsylvania, $1.1 million to Florida, $682,432 to Virginia, $483,057 to Maryland, and smaller amounts to Delaware and the District of Columbia.
Although Wawa has agreed to comply with the terms of the Assurance of Voluntary Compliance, the company neither admits, agrees with, nor concedes the facts recited by the attorneys general. The Assurance is not intended for purposes other than settlement, and may not be construed as an admission of liability by Wawa.