RICHMOND, Va. (WRIC) — Virginia Attorney General Jason Miyares announced that an $8 million settlement has been reached with Wawa, Inc., to resolve a 2019 data breach that compromised approximately 34 million payment cards used at Wawa stores.

According to the communication from the Office of the Attorney General, this is the third-largest credit card data breach settlement reached by state attorneys general, behind Target and The Home Depot. The Commonwealth’s share of the settlement is $682,432.14.

The Wawa data breach happened after hackers gained access to the company’s computer network in late 2018 through a phishing attack and later deployed malware on Wawa’s point-of-sale terminals.

The malware extracted Wawa customers’ sensitive payment card information between April 18, 2019 and December 12, 2019. The data breach affected stores in each of the six states where Wawa operates—New Jersey, Pennsylvania, Florida, Delaware, Maryland, and Virginia—as well as the District of Columbia.

Attorney General Miyares and the other participating Attorneys General allege that Wawa failed to employ reasonable information security measures to prevent the data breach, and therefore violated state consumer protection and personal information protection laws.

“It is imperative that businesses employ every reasonable security measure to protect their customers and prevent sensitive data breaches like this one,” Miyares said in a statement issued through a press release. “I am pleased we were able to reach a settlement that addresses the conduct at issue and implements safeguards going forward to ensure this type of breach does not happen again.”

In addition to the $8 million total payment to the states, Wawa has agreed to implement and maintain a series of data security practices designed to strengthen its information security program and safeguard the personal information of consumers.

The settlement requires that Wawa implement a number of information security practices:

  • Maintain a comprehensive information security program designed to protect consumers’ sensitive personal information;
  • Provide resources necessary to fully implement the company’s information security program;
  • Provide appropriate security awareness and privacy training to all personnel who have key responsibilities for implementation and oversight of the information security program;
  • Employ specific security safeguards with respect to logging and monitoring, access controls, file integrity monitoring, firewalls, encryption, comprehensive risk assessments, penetration testing, intrusion detection, and vendor account management; and
  • The company will undergo a post-settlement information security assessment which in part will evaluate its implementation of the agreed-upon information security program.

10 On Your Side reached out to the AG’s office to clarify if Wawa customers impacted by the data breach would be compensated in any way as a result of this settlement. A spokesperson confirmed, “this case does not contain consumer restitution.”