Wawa was named in a class-action lawsuit alleging negligence in the aftermath of a massive data breach.
Wawa recently found itself in the hot seat when six people stepped forward with a class-action lawsuit in the aftermath of a data breach that “potentially exposed the credit and debit information of customers across the company’s territory.” The company announced the data breach back on December 19 and noted it “affected all 850 of its locations.” It turns out the malware behind the breach first began running March 4, though it wasn’t detected until December 12.
As part of the massive breach, sensitive information belonging to customers was compromised, including “credit and debit card numbers, expiration dates, and cardholder names on payment cards.” However, debit card PIN numbers, credit card CVV2 numbers, or driver’s license information was not compromised in the breach, according to Wawa.
One of the plaintiffs suing the company is Tabitha Hans-Arroyo. According to her, she became aware of the breach when she was notified of a suspicious charge by Capital One on December 24. Someone “had made an unauthorized $2,535.15 purchase on Walmart.com.” Before Wawa discovered the breach, Hans-Arroyo “used her card at the store almost daily.” As a result of her experience and the experiences of countless others, the suit accuses the company of “negligence, breach of contract and violations of state consumer protection statutes.”
Another plaintiff, Ronnie Kaufman, said Wawa should have been aware that it was “highly susceptible to attack.” He added that the company “failed to inform customers in a reasonable timeframe, waiting a week before making the breach public.” The suit further states:
Wawa disregarded the rights of Plaintiff and Class members by intentionally, willfully, recklessly, or negligently failing to take adequate and reasonable measures to ensure its data systems were protected, failing to disclose to its customers the material fact that it did not have adequate computer systems and/or payment processor servers and security practices to safeguard PII, failing to take available steps to prevent and stop the breach from ever happening, and failing to monitor and detect the breach on a timely basis.
As part of the class-action suit, Hans-Arroyo and Kaufman are seeking to recover damages caused by the breach. Additionally, the suit “aims to recover damages for a class of all Wawa consumers in the U.S. whose personally identifiable information was acquired by unauthorized persons.”
When confronted about the data breach, Chris Gheysens, the CEO of Wawa apologized and said his company is “providing one year of free identity theft protection and credit monitoring.” For now, customers affected by the breach may call 1-844-386-9559 for more information about the credit monitoring service.