Another Credit Union Sues Wawa Over Data Breach

One more credit union is suing convenience store and gas station chain Wawa in federal court for damages related to the company’s recent data breach.

The Newton, Penn.-based Inspire Federal Credit Union filed a class-action suit against Wawa on Jan. 29 in a Pennsylvania District Court. Similar to another class-action suit filed by First Choice Federal Credit Union on Jan. 3, Inspire’s suit said that the alleged breach exposed data from at least March 4, 2019 through Dec. 12, 2019, and that it compromised cardholder names, credit and debit card numbers and card expiration dates. It also said the breach forced credit unions to replace member cards and cover fraudulent purchases.

Inspire FCU has $190 million in assets and about 14,000 members. The New Castle, Penn.-based First Choice FCU has $46 million in assets and about 6,900 members.

“The financial costs caused by Wawa’s deficient data security approach have been and will be borne primarily by financial institutions, like plaintiff, that issued the payment cards compromised in the data breach. These costs include, but are not limited to, canceling and reissuing compromised cards and reimbursing their members/customers for fraudulent charges. Moreover, the duration of the data breach has and will cause plaintiff and other members of the class to suffer many millions of dollars more in damages than they would have suffered had Wawa had an adequate process in place to detect and contain the data breach,” Inspire said in its complaint.

Inspire FCU also alleged that Wawa ignored warnings that its point-of-sale system was susceptible to data breach, failed to implement certain protocols that it claimed would have prevented malware from infecting the point-of-sale systems and failed to install software to track access to and monitor its network adequately.

In a Dec. 19, 2019 statement addressing the breach, Wawa CEO Chris Gheysens apologized for the breach incident and said malware did not affect PIN numbers, CVV2 numbers, ATMs or driver’s license information. In a Jan. 28 update, the company said it had become aware of reports of criminal attempts to sell some of the stolen card information.

Similar to First Choice FCU, Inspire took issue with Wawa’s assurance that customers would not be responsible for fraudulent charges resulting from the data breach.

“Plaintiff is at risk of imminent and certain impending injury as a result of recurrent fraudulent transactions on payment cards linked to the Wawa data breach,” it said. “Furthermore, time will tell whether plaintiff is subject to an imminent threat of future harm because Wawa’s response to the data breach is so inadequate that it is doubtful that it has cured the deficiencies in its data security measures sufficiently to prevent a subsequent data breach.”