News

Actions

Attorney General Miyares announces $8 million data breach settlement with Wawa

Wawa.jpg
Posted at 2:16 PM, Jul 26, 2022

RICHMOND, Va. - Attorney General Jason Miyares announced that he, along with six other attorneys general, has reached an $8 million settlement with Wawa to resolve a 2019 data breach.

The breach compromised approximately 34 million payment cards used at Wawa stores. According to Miyares' office, this is the third-largest credit card data breach settlement reached by state attorneys general, behind Target and the Home Depot.

Miyares' office said the Commonwealth's share of the settlement is $682,432.14.

Other impacted states included New Jersey, Pennsylvania, Florida, Delaware and Maryland, as well as the District of Columbia.

“It is imperative that businesses employ every reasonable security measure to protect their customers and prevent sensitive data breaches like this one.” Attorney General Miyares said. “I am pleased we were able to reach a settlement that addresses the conduct at issue and implements safeguards going forward to ensure this type of breach does not happen again.”

In addition to the $8 million total payment to the states, Wawa will implement the following information security practices:

  • Maintain a comprehensive information security program designed to protect consumers’ sensitive personal information;
  • Provide resources necessary to fully implement the company’s information security program;
  • Provide appropriate security awareness and privacy training to all personnel who have key responsibilities for implementation and oversight of the information security program;
  • Employ specific security safeguards with respect to logging and monitoring, access controls, file integrity monitoring, firewalls, encryption, comprehensive risk assessments, penetration testing, intrusion detection, and vendor account management; and
  • The company will undergo a post settlement information security assessment which in part will evaluate its implementation of the agreed upon information security program.