BREACHED! On Thursday, the consumer-favorite convenience store ‘Wawa’ announced that it was the victim of a massive data breach that potentially compromised “customer payment card information” at all 850 Wawa locations for approximately nine months.
Wawa, Inc., headquarted in Wawa, Pennsylvania, is an American chain of convenience stores and gas stations located along the East Coast, with operating locations in New Jersey, Delaware, Maryland, Virginia, Washington D.C., and Florida. Think of it as the “Publix” of Florida.
The company believes the data breach to have potentially impacted the debit and credit card numbers, expiration dates, and cardholder names, as indicated in an ABC News report. Wawa emphasized that the PIN numbers, CVV2 numbers, and driver’s license information were not impacted.
Discovering the breach on December 10, Wawa said it found malware in the company’s payment processing servers and had the issue contained two days later. Unfortunately, problems still persist because the company believes the malware to have been running since as early as March 4 of this year. But company executives say that the malware no longer poses a risk for customers.
Hard to believe that one.
“At Wawa, the people who come through our doors are not just customers, they are our friends and neighbors, and nothing is more important than honoring and protecting their trust,” Chris Gheysens, Wawa’s CEO, said in a statement announcing the breach.
“Once we discovered this malware, we immediately took steps to contain it and launched a forensics investigation so that we could share meaningful information with our customers. I want to reassure anyone impacted they will not be responsible for fraudulent charges related to this incident,” he added. “To all our friends and neighbors, I apologize deeply for this incident.”
But do you really? Let me re-phrase. It’s easy to apologize when there’s little to no accountability or consequence for such an occurrence. But you just wait until January 1st.
As part of the company’s good will, they are even being so generous as to offer consumers free identity protection and credit monitoring services, and opening up its own hotline and website to answer questions customers may have about the data breach.
But too little too late. This is yet another example of how slow our technology is in keeping up with these cyber-criminals…plus throw in the human component to the equation.
However, as a practicing attorney, I continue to take the stand that these “after-the-fact” measures really are pointless and are simply just nice gestures that don’t help anyone. The damage is done and consumers are just better freezing their credit, rather than taking the chance or gamble of hoping their accounts haven’t been touched.
As a reminder, the CCPA comes into effect January 1, and if my predictions are correct, I foresee potentially one of the largest accountability periods for Silicon Valley’s tech giants and large corporate enterprises with respect to consumer data privacy.