Wawa customers could soon be eligible to receive gift cards or cash payments as compensation for a data breach the convenience chain suffered in 2019. In a recent motion filed in the Eastern District of Pennsylvania, attorneys for both parties asked Judge Gene E.K. Pratter to approve a settlement reached as the result of a class-action lawsuit filed shortly after the breach. The proposed settlement of $12.2 million is made up of $8 million worth of Wawa gift cards for those who used credit or debit cards at one of Wawa’s nearly 900 stores between March 4 and December 12, 2019, and up to $1 million in cash payments for customers who suffered out-of-pocket losses.
In the proposed settlement, the Red Roof, PA-based convenience store retailer also agreed to pay $3.2 million to cover attorney fees and other costs associated with the lawsuit, and to further secure its systems, the motion states.
The computer theft affected approximately 30 million credit and debit card numbers from more than 850 Wawa stores located in Pennsylvania, New Jersey, Delaware, Maryland, Virginia, the District of Columbia and Florida.
More than 20 class actions were filed by consumers against Wawa as a result of the data breach. The cases were consolidated in federal court in the Eastern District of Pennsylvania in June 2020. The court appointed four attorneys to serve as co-lead counsel for the consumer class, who worked on the settlement that was presented last month.
The payments to customers who were affected by the data breach fall into three categories. The first group includes customers who bought something at a Wawa with a debit or credit card during the period of the breach and spent time monitoring their accounts as a result. Those class members would be eligible to receive a $5 gift card. The second group includes customers who made a purchase and can document a fraudulent charge or attempted charge. Those customers would be eligible to receive a $15 gift card. The final group includes customers who can show they suffered losses as a result of shopping via credit or debit card at a Wawa during the course of the breach. Those members can get up to $500 to cover out-of-pocket costs including credit freeze fees, bank fees and replacement card fees.
Per the settlement, the gift cards would be valid for one year and could be used for any purchase except tobacco or nicotine products. Gift cards would also be redeemable for fuel payments made inside Wawa stores.
If the settlement is approved by the court, Wawa would be required to notify customers of the settlement process during a four-week period. This step would include posting signs at payment areas inside the stores and at fuel pumps, posting a link to the settlement site on Wawa’s website and issuing a press release including details on how to file a claim. All signs posted would include a QR code that can be scanned by customers that would automatically take them to the claims website.
Customers who opt to join the settlement would lose any right to sue Wawa in the future over the breach.
In reporting the breach in December of 2019, Wawa stated on its website: “Based on our investigation to date, the malware (on our server) affected payment card information, including credit and debit card numbers, expiration dates, and cardholder names on payment cards used at potentially all Wawa in-store payment terminals and fuel dispensers beginning on March 4, 2019 and ending on December 12, 2019. Most locations were affected as of April 22, 2019.”
After the breach was discovered, Wawa rolled out an improved payment security method by installing chip card readers at its gas pumps. The data transmitted via chip-enabled cards is encrypted and only a financial institution can un-encrypt it. The proposed settlement also requires Wawa to invest an additional $35 million into upgrading its data security systems.
