HARRISBURG, Pa. (WHTM) – Wawa has agreed to an $8 million settlement to resolve a December 2019 data breach that affected millions of Pennsylvania customers.

Pennsylvania will collect $2,525,732 through this settlement after approximately 9.1 million payment cards were affected in Pennsylvania and approximately 34 million cards were affected company-wide.

According to the Attorney General’s office, Wawa “proactively notified” them that the company experienced a data security incident. The Attorney General’s office says the investigation “concluded that Wawa failed to employ reasonable security measures, which allowed hackers to gain access to Wawa’s network and deployed malware on the company’s payment processing servers at its stores.”

Get daily news, weather, breaking news and alerts straight to your inbox! Sign up for the abc27 newsletters here.

The malware allowed the hackers to obtain the payment card information of Wawa customers between April 18, 2019, and December 12, 2019.

In addition to the $8 million total payment to the states, Wawa has agreed to implement and maintain a series of data security practices designed to strengthen its information security program and safeguard the personal information of consumers.

Specific information security provisions agreed to in the settlement include:

  • Maintaining a comprehensive information security program designed to protect consumers’ sensitive personal information;
  • Providing resources necessary to fully implement the company’s information security program;
  • Providing appropriate security awareness and privacy training to all personnel who have key responsibilities for implementation and oversight of the information security program
  • Employing specific security safeguards with respect to logging and monitoring, access controls, file integrity monitoring, firewalls, encryption, comprehensive risk assessments, penetration testing, intrusion detection, and vendor account management; and
  • Consistent with previous state data breach settlements, the company will undergo a post settlement information security assessment which in part will evaluate its implementation of the agreed upon information security program.

“Today’s settlement will help protect Pennsylvanians personal information going forward and will hold Wawa accountable for the data breach that occurred on their watch,” AG General Shapiro said. “Thanks to this work Wawa will adopt new corporate policies to deter data breaches in the future. Every corporation that does business in Pennsylvania needs to stay alert and protect their customer’s personal data or they will have to answer to my office.”

Get traffic alerts from the abc27 mobile app for the latest local delays and road closures

Joining Attorney General Shapiro in the investigation and today’s settlement are the attorneys general of Delaware, Florida, Maryland, New Jersey, Virginia, and the District of Columbia.

According to the Attorney General’s office, this is the third largest attorney’s general credit card breach settlement behind Target and The Home Depot.

Stay up to date on the latest from abc27 News on-air and on the go with the free abc27 Mobile app.