Watch CBS News

Days after Wawa data breach revealed, customers are suing

Wawa convenience store customers who had their credit card information exposed to hackers after making purchases at the retailer have filed a lawsuit alleging the gas-and-convenience-store chain was negligent in keeping their data safe. 

lawsuit filed in federal district court in Philadelphia the day after Christmas claims Wawa officials should have taken more aggressive steps to protect customer information in an age where other major companies like Target and Whole Foods have seen their customer data exposed. 

The lawsuit also argues the Wawa data breach at the chain's 850 stores over nine months will inconvenience customers because they must spend hours "closing out and opening new credit or debit card accounts, ordering replacement cards, obtaining fraud monitoring services, resolving loss of access to cash flow and credit lines, monitoring credit reports and accounts." 

"Wawa was ... fully aware of its data protection obligations in light of its participation in the payment card processing networks and its daily collection and transmission of thousands of sets of card information," according to the lawsuit.  

Earlier this month, Wawa CEO Chris Gheysens announced on the company's website that malware had been found on company computer servers used for customer payment processing. Wawa officials said they found the malware December 10 and contained it December 12, Gheysens wrote, but customers who used their debit or credit card at Wawa stores between March 4 and December 10 may have had their card data exposed. 

"Once we discovered this malware, we immediately took steps to contain it and launched a forensics investigation so that we could share meaningful information with our customers," Gheysens said in an apology statement. "I want to reassure anyone impacted they will not be responsible for fraudulent charges related to this incident."

Ransomware attacks on the rise, targeting both individuals and organizations 06:30

Wawa is offering affected customers one year of free credit monitoring from Experian. Customers can enroll online or call (844) 386-9559. 

The malware attack didn't affect anyone who used an ATM at Wawa nor did it expose customers' PIN numbers, CVV numbers or driver's license information used for age verification during purchases, Gheysens said.

Wawa declined to comment further on Friday. 

The lawsuit noted a New Jersey resident who, lawyers said, is temporarily unable to use her credit card because of Wawa.

Tabitha Hans-Arroyo of Woodbury Heights said in the lawsuit she received an email from Capital One bank on Christmas Eve telling her that someone tried to make a $2,535.15 purchase on her credit card at Capital One rejected the transaction and told Hans-Arroyo to contact a call center. When she did, a representative said told her credit card was affected in the Wawa data breach, according to the lawsuit. 

"Capital One locked Ms. Hans-Arroyo's credit card on December 24, 2019, the day before Christmas," the lawsuit stated. "Until Capital One issues Ms. Hans-Arroyo a new card, she has no access to her credit card funds."

Lawyers representing Hans-Arroyo and others affected said Wawa's apology and credit monitoring are too little too late because customers "have already had their sensitive data exposed to criminals for up to nine months." 

"Wawa was not only aware of the threat of data breaches, generally, but was aware of the specific danger of malware infiltration," the lawsuit continued, noting that malware has hit "large retailers such as Target, GameStop, Chipotle, Jason's Deli, Whole Foods, Sally Beauty, Neiman Marcus, Michaels Stores, Hy-Vee and Supervalu."

The lawsuit did not state how much money was being sought. Pennsylvania-based Wawa is the country's 25th largest private company, according to Forbes, and has about 37,000 employees and $10 billion in annual revenue. 

View CBS News In
CBS News App Open
Chrome Safari Continue
Be the first to know
Get browser notifications for breaking news, live events, and exclusive reporting.