Wawa’s Data Breach Notification Fumble Turns Hoagie Fest into a Hoagie Mess

The convenience store chain, whose signature event is Hoagie Fest, recently discovered Malware infected their card readers back in March.
By: | December 20, 2019

If you’re reading this from Southeastern Pennsylvania, let me just say, put down the wooder because yous won’t believe what happened.

Wawa just got hacked. 

Well, not “just.” Malware infected the Pennsylvania-based convenience store’s payment processing system in early March, leaving customers’ names, credit and debit card numbers and expiration dates exposed for more than eight months.   

In an open letter released on December 19, 2019, the company’s CEO said the company discovered the malware on December 10. They believe the malware exposed the data of customers who purchased goods or gas from any of the chain’s more than 850 locations. 

The malware compromised customer data from March 4 till December 12, when the breach was contained. 

ATMs, debit card pins, and drivers’ license data used to verify age-restricted purchases were not affected. 

The breach left many of us at Risk & Insurance®, whose office is located 1.8 miles away from a Wawa, calling our banks and credit card providers to notify them of a potential breach. 

Once we got our personal affairs in order, however, we knew there was a story here. Because even the reputation of a beloved brand like Wawa will have a tough time withstanding a data breach that went for this long before customers were notified.   

Data Breaches Are a Reputational Risk Disaster 

Whether large or small, data breaches are a nightmare for a company. 

Just ask Target. Six years after their massive 2013 data breach and they’re still cleaning up the mess. They’re currently suing their insurer, Chubb Ltd., over tens of millions of dollars related to the breach that they argue should be covered under their policy.

 In the immediate aftermath of the event, Forbes reported that the retailer’s profit dropped 46%, suggesting that customers felt betrayed by the brand. Target may have survived, but this kind of reputational damage can be hard for a company to shake. 

While a data breach in and of itself may not be enough to topple Wawa — after all, Pennsylvanians love Wawa — the way they handled it certainly poses a threat. 

More than eight months went by before the threat was detected. After the company discovered it, it took them nearly ten days to notify their customers. 

That’s ten days people could have used to contact their banks and credit card provider to curb any potential data theft or damage to their accounts. If a customer’s debit card was compromised, ten days gives a criminal enough time to drain their bank account.

And that doesn’t even take into account the fact that their data had been compromised for months before incident was discovered.  

When it comes to managing your company’s reputation, the way you approach an event like a faulty product or a data breach can mean everything. 

After someone poisoned Tylenol bottles that were sitting in-stores during the 1980s, Johnson & Johnson came out looking like a crisis-management superstar. They took responsibility, recalled the product and invented the tamper-proof bottles that are now widely used by pharmaceutical companies.  

But when it comes to modern day lawsuits over the opioid epidemic, Johnson & Johnson has been slow to take responsibility and it’s damaged their brand. The company was recently handed a $572 million verdict for its role in causing the epidemic in Oklahoma alone.  

Protecting Your Business Against Cyber Risk 

Wawa’s data breach  illustrates the importance of protecting your company from cyber attacks. Regularly testing your network, employee compliance training and working with IT experts can all help protect your company’s, and your customer’s, data. 

Obviously the best type of cyber attack is one that didn’t happen or was prevented, but in a world of innovative and quick acting cyber criminals, it doesn’t always work out that way. 

Wawa and other companies facing a data breach can protect their reputations by developing a data breach response plan. This type of plan provides a road map that companies can use to respond if and when a breach occurs. 

Wawa’s breach is certainly embarrassing and it may affect their sales, but the company and cyber risk isn’t going away anytime soon.  

I know if the staff of Risk & Insurance® decides to go out for hoagies anytime soon, we’ll be bringing cash. Or maybe, we just won’t stop at Wawa at all. &

Courtney DuChene is a freelance journalist based in Philadelphia. She can be reached at [email protected].

More from Risk & Insurance

More from Risk & Insurance