On Tuesday, Florida Attorney General Ashley Moody and other attorneys general secured $8 million as a result of a multistate action following a Wawa data breach.
The announcement comes after an investigation into a December 2019 data breach that compromised potentially up to 34 million payment cards used at Wawa stores. Moody was joined in the multistate action by the attorneys general of five other states, as well as Washington, D.C. Florida will receive more than $1.1 million.
The data breach occurred after hackers gained access to the company’s computer network and deployed malware on point-of-sale terminals. The malware extracted customers’ sensitive payment card information between April 18, 2019, and Dec. 12, 2019, and affected stores in each of the six states where Wawa operates—Delaware, Florida, Maryland, New Jersey, Pennsylvania and Virginia—along with Washington, D.C.
“Hackers will go to great lengths to steal personal information—often targeting businesses to access the data of millions of consumers. It is important that companies take reasonable measures to protect their customers from data breaches. Through a multistate action, we are securing millions of dollars and an agreement that Wawa will implement measures to better protect the sensitive information provided by its customers,” Moody said on Tuesday.
The attorneys general allege that Wawa failed to employ reasonable information security measures to prevent such a data breach, therefore violating state consumer protection and personal information protection laws.
In addition to the $8 million total payment to the states, Wawa agrees to implement and maintain a series of data-security practices designed to strengthen its information-security program and safeguard the personal data of consumers.
Specific security provisions include:
Maintaining a comprehensive information-security program designed to protect consumers’ sensitive personal information;
Providing resources necessary to fully implement Wawa’s information-security program;
Providing appropriate security awareness and privacy training to all personnel who have key responsibilities for implementation and oversight of the information-security program;
Employing specific security safeguards with respect to access controls, comprehensive risk assessments, encryption, file-integrity monitoring, firewalls, intrusion detection, logging and monitoring, penetration testing and vendor-account management; and
A post-settlement, information-security assessment which, in part, will evaluate its implementation of the agreed-upon information security program.
The attorneys general of the following states, along with the District of Columbia, joined Moody in the action: Delaware, Maryland, New Jersey, Pennsylvania and Virginia. Consumer Protection Division Assistant Attorneys General Patrice Malloy and Diane Oates represented Florida in the matter.
