Wawa

In 2019, Wawa experienced a significant data breach lasting **eight months (March 4–December 12)**, where **malware on payment processing servers** exposed **credit/debit card details** (numbers, expiration dates, and cardholder names) of customers across **all 850 stores and fuel pumps**. The breach led to **fraudulent transactions**, prompting a **$9 million settlement** distributed via eGiftCards. Victims received **$5–$500** based on their losses: $5 for fraud with reversed charges, $15 for fraud without out-of-pocket costs, and $500 for verified financial harm. The breach was halted after discovery on **December 10, 2019**, but the prolonged exposure and **customer financial fraud** underscored severe operational and reputational damage. Wawa’s response included direct compensation but faced scrutiny over delayed detection and communication.

Source: https://nj1015.com/wawa-data-breach-settlement/

Wawa, Inc. cybersecurity rating report: https://www.rankiteo.com/company/wawa-inc-

"id": "WAW1302913112225",
"linkid": "wawa-inc-",
"type": "Breach",
"date": "12/2019",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"

{'affected_entities': [{'customers_affected': 'millions (all customers who '
                                              'used cards at Wawa stores/fuel '
                                              'pumps between March 4–December '
                                              '12, 2019)',
                        'industry': 'Retail (Food & Beverage, Fuel)',
                        'location': 'Primarily U.S. East Coast (850 stores)',
                        'name': 'Wawa, Inc.',
                        'type': 'retail/convenience store chain'}],
 'attack_vector': 'malware on payment processing servers',
 'customer_advisories': ['eGiftCard settlement emails (sent Nov 19, 2021+) '
                         "with subject line 'Wawa Settlement eGift Card'"],
 'data_breach': {'data_exfiltration': 'likely (malware designed to steal card '
                                      'data)',
                 'number_of_records_exposed': 'millions (exact number '
                                              'undisclosed)',
                 'personally_identifiable_information': ['cardholder names',
                                                         'card numbers',
                                                         'expiration dates'],
                 'sensitivity_of_data': 'high (full payment card details)',
                 'type_of_data_compromised': ['payment card data (PII)']},
 'date_detected': '2019-12-10',
 'date_resolved': '2019-12-12',
 'description': "Between March 4 and December 12, 2019, malware on Wawa's "
                'payment processing servers exposed credit and debit card data '
                '(including card numbers, expiration dates, and cardholder '
                "names) of customers who used their cards at any of Wawa's 850 "
                'stores or fuel pumps. The breach was discovered on December '
                '10, 2019, and contained two days later. A $9 million '
                'settlement was reached, with affected customers receiving '
                'eGiftCards of varying amounts ($5, $15, or $500) based on '
                'their fraud-related losses. The breach lasted approximately 8 '
                'months and impacted millions of customers.',
 'impact': {'brand_reputation_impact': 'moderate (public breach disclosure and '
                                       'settlement)',
            'data_compromised': ['credit/debit card numbers',
                                 'card expiration dates',
                                 'cardholder names'],
            'downtime': '2 days (containment period)',
            'financial_loss': '$9 million (settlement payout)',
            'identity_theft_risk': 'high (payment card data exposed)',
            'legal_liabilities': '$9 million settlement',
            'payment_information_risk': 'high (full card details compromised)',
            'systems_affected': ['payment processing servers']},
 'investigation_status': 'resolved (settlement reached)',
 'motivation': 'financial gain (likely theft of payment card data for fraud)',
 'post_incident_analysis': {'corrective_actions': ['settlement payouts',
                                                   'likely security upgrades '
                                                   '(undisclosed)'],
                            'root_causes': ['malware infection on payment '
                                            'processing servers']},
 'references': [{'source': 'New Jersey 101.5 (Townsquare Media)'}],
 'regulatory_compliance': {'legal_actions': ['class-action lawsuit settlement '
                                             '($9M)']},
 'response': {'communication_strategy': ['email notifications to affected '
                                         'customers (sent Nov 19, 2021+)',
                                         'public settlement details'],
              'containment_measures': ['malware removal from payment servers'],
              'incident_response_plan_activated': 'yes (discovered on Dec 10, '
                                                  '2019; contained by Dec 12, '
                                                  '2019)',
              'recovery_measures': ['$9M settlement with eGiftCard payouts to '
                                    'affected customers']},
 'title': 'Wawa Data Breach (2019) – Exposure of Customer Payment Card Data',
 'type': ['data breach', 'malware attack', 'payment card compromise']}