The Wawa data breach: What happens now?

Typically, a long process of corporate accountability unfolds after a breach like the one Wawa announced Dec. 20, affecting 850 stores.

A closeup of a Wawa sign

Wawa located on Broad and Walnut streets. (Miguel Martinez/Billy Penn)

Wawa says it’s contained the massive data breach that may have exposed several million of its  customers’ credit and debit card information to hackers. The malware that caused the breach no longer poses a risk to customers, the company says.

But if you used a credit or debit card at any Wawa store or gas pump since March – and so many of us did — you might have been affected. The Delaware County-based company has  more than 850 stores, most with gas pumps, in six states plus Washington, D.C.

Now that consumers have been notified, what happens next?

‘Somebody’s gotta pay’

Typically, a long process of corporate accountability unfolds after a breach like the one Wawa announced Dec. 20.

  • WHYY thanks our sponsors — become a WHYY sponsor

“Somebody’s gotta pay for all this,” said Robert Siciliano, a cybersecurity expert with ETF Managers Group LLC. “Wawa is going to have to pay, and/or their insurance carrier is going to have to pay.”

Wawa’s insurance carrier will carry out forensics, to determine what is or isn’t covered. Consumers will file lawsuits, and make a case for the injuries they suffered.

At least six lawsuits, seeking class-action status, have already been filed, according to The Philadelphia Inquirer. The lawsuits accuse Wawa of failing to take adequate security precautions. One plaintiff, Tabitha Hans-Arroyo, says she went to Wawa regularly during the data breach. She noticed that someone tried to charge $2,535.15 to her credit card on Dec. 24.

The whole process can take a couple years to resolve and cost companies a hefty sum. A big data breach in 2013, for instance, cost Target more than $160 million in expenses. And analysts estimated a 2007 data breach might have cost TJX, which operates T.J. Maxx, Marshalls and HomeGoods stores, $1 billion or more.

Often, however, lawsuits don’t turn out much for consumers, according to Siciliano.

“You might get 10% off your next purchase,” he said. “Usually, it’s the lawyers that might have a payday of sorts. In the end, most of the money goes towards paying out identity theft protection, and compensation for all the banks and credit card companies that suffered losses.”

The breach itself

According to a letter from CEO Chris Gheysens, Wawa discovered the malware on its payment-processing servers on Dec. 10. The malware exposed credit and debit numbers, expiration dates and cardholder names, the company says, but did not affect PIN numbers or security codes. In-store ATMs were not involved.

Wawa’s servers were first hacked on Mar. 4, possibly through a single employee clicking on a bad link or email attachment, Siciliano said. From there, the hackers might have been able to carve a path to the company’s payment servers.

The malware ran undetected for about nine months. That seems like a long time, but it can take security software that long to update and recognize new malware, Siciliano said.

“It’s not out of the ordinary for some of these data breaches to take in excess of a year to detect,” he said. According to Philadelphia magazine, it’s estimated the average breach discovery takes almost seven months.

Wawa says that the malware was blocked and contained by Dec.12.

What customers can do

In the letter sent to customers, Wawa offered several suggestions.

Anyone affected can register for a complimentary year of identity theft protection and credit monitoring through Experian, using the activation code 4H2H3T9H6. People should review their card statements, and it could help to request new card numbers or set up payment verifications on your cards.

Above all else, Siciliano, the cybersecurity expert, recommends just one measure: Call your bank or credit card company to set up push notifications for all your transactions.

“Text messages or emails alerting you to your charges in real time,” he said. “That’s the only thing that’s necessary here.”

Push alerts notify you of every charge — not just the ones that appear suspicious. It may seem like a lot, but it’s worth it, said Siciliano, who added that he may have been affected by the Wawa breach himself. He finds the alerts save him stress and the labor of having to meticulously pore over his statements.

For instance, he said, he was recently notified of an early morning charge at HomeGoods. He called his wife, and it wasn’t her making the purchase — she was driving the kids to school.

“We shop at HomeGoods,” he said. “If I didn’t get those alerts in real time, it’s likely we would have just let them go.”

Instead, Siciliano called his credit card company, and got the charges dropped immediately. Push alerts are your best defense, he said.

WHYY is your source for fact-based, in-depth journalism and information. As a nonprofit organization, we rely on financial support from readers like you. Please give today.

Want a digest of WHYY’s programs, events & stories? Sign up for our weekly newsletter.

Together we can reach 100% of WHYY’s fiscal year goal