First Choice FCU Sues WaWa Over Data Breach

First Choice Federal Credit Union has filed a class-action lawsuit against WaWa and is seeking damages related to a recent data security breach at the chain of gas stations and convenience stores, according to documents filed in a Pennsylvania District Court.

The complaint alleged that the breach exposed data from at least March 4, 2019, through December 12, 2019, and that it compromised cardholder names, credit and debit card numbers and card expiration dates. It also said the breach forced credit unions to replace member cards and cover fraudulent purchases.

“On or about March 2019, computer hackers accessed WaWa’s inadequately protected point-of-sale systems and installed malicious software that infected potentially every WaWa in-store payment terminal and fuel dispenser in the United States. Through this malware, hackers stole the payment card data of an untold number of customers,” First Choice alleged in its compliant.

The suit also claimed that, among other things, Wawa did not adhere to certain best practices regarding data security, didn’t upgrade its security systems, used outdated point-of-sale systems, ignored warnings about network vulnerabilities and ignored or violated certain industry standards.

In an open letter from WaWa CEO Chris Gheysens dated December 19, Wawa said the malware did not affect PIN numbers, CVV2 numbers, ATMs or driver’s license information. In its complaint, however, New Castle, Penn.-based First Choice FCU, which has $45 million in assets and about 6,600 members, took issue with the letter’s assurance that WaWa’s customers would not be responsible for fraudulent charges resulting from the data breach.

“WaWa has not provided any assurances to plaintiff and similarly situated payment card issuers who will lose millions of dollars as a result of having to cancel and reissue cards compromised in the WaWa data breach, refund fraudulent charges incurred by their members/customers, investigate fraudulent charges and the lost interest and transaction fees due to reduced card usage,” it said.

The breach’s damages exceeded $5 million, First Choice asserted. It also asked the court to require WaWa to use security protocols consistent with industry standards, including certain encryption measures, EMV technologies and audit procedures, as well as other upgrades and changes.

“Monetary damages, while warranted to compensate plaintiff and the class for out-of-pocket damages that are legally quantifiable and provable, do not cover the full extent of injuries suffered by plaintiff and the class, which include monetary damages that are not legally quantifiable or provable and reputational damage,” First Choice stated.

“Moreover, the duration of the data breach has and will cause plaintiff and other members of the class to suffer many millions of dollars more in damages than they would have suffered had WaWa had an adequate process in place to detect and contain the data breach,” the complaint said.

Data breaches have afflicted several large retailers and restaurants in the last several years, including Wendy’s, The Home Depot, Eddie Bauer, Target, Chipotle and others. Several of those breaches have resulted in lawsuits from credit unions.