Wawa agrees to payment, security changes after 2019 data breach

LAWRENCE TOWNSHIP, NJ, UNITED STATES - 2018/08/14: Wawa store in Lawrence Township, New Jersey. (Photo by Michael Brochstein/SOPA Images/LightRocket via Getty Images)

Wawa, the Pennsylvania-based convenience store chain, will pay $8 million to several states over a 2019 data breach that involved some 34 million payment cards, authorities announced Tuesday.

The Pennsylvania attorney general's office said Wawa Inc. did not take reasonable security measures to prevent hackers from installing malware that is thought to have collected card numbers, customer names and other data.

The company said in December 2019 that its information security team discovered the malware and two days later were able to stop the breach, which affected hundreds of Wawa locations along the East Coast, from Pennsylvania to Florida. In-store payments and payments at fuel dispensers were affected, but ATM machines were not.

In a statement Tuesday, Wawa said it notified authorities, cooperated with investigators and has assisted those affected by the breach.

"From the outset, our focus has been to make this right for our customers and communities," the company's news release said. "We continue to take the necessary steps to safeguard our information security systems."

Pennsylvania Attorney General Josh Shapiro said Wawa has agreed to new policies to toughen its security efforts to combat data breaches.

The settlement was made with attorneys general in Delaware, Florida, Maryland, New Jersey, Pennsylvania, Virginia, and Washington, D.C.