Wawa, the American convenience store and gas station chain that has suffered a catastrophic data breach incident in 2019, is now settling the class action lawsuit that represented affected customers through a $9 million settlement. The customers will now receive reimbursements in three tiers, starting from $5, going up to $15, and reaching a maximum of $500, depending on the severity and magnitude of the effects of the data breach on them specifically.
The company had its POS systems infected by card data-stealing malware that remained active on the payment terminals between March 4, 2019, and December 12, 2019. During this period, whatever payments were made by customers on any of the 850 Wawa locations across the United States had, as a result, the exfiltration of their card details. In January 2020, a pack of 30 million “perfect pure” credit cards stolen from Wawa’s POS, including full numbers, expiration dates, cardholder names, and even CVV2 numbers, was put up for sale on the now-defunct ‘Joker’s Stash’ marketplace.
The company responded to the emergency with an announcement that advised customers on what to do and also covered the cost of identity theft protection services. However, the consequences of this breach were dire, and a class-action lawsuit for failing to protect people’s sensitive data (as well as not publicly disclosing the breach as soon as it was made apparent to Wawa) was inevitably submitted in the U.S. District Court for the Eastern District of Pennsylvania.
Wawa has agreed to settle the case and is defining the following three tiers for affected customers:
If you are eligible for any of the above, you have until November 29, 2021, to submit a claim for the reception of the corresponding compensation. By doing so, you are waiving your right to further pursue any legal action against Wawa regarding the particular security incident.