More Credit Unions Wade Into Wawa Lawsuits

The Cincinnati-based Greater Cincinnati Credit Union and Falconer, N.Y.-based Greater Chautauqua Federal Credit Union have added their names to the list of credit unions suing convenience store and gas station chain Wawa.

Greater Cincinnati filed its class-action complaint in federal court on Feb. 7. Greater Chautauqua, which has $69 million in assets and about 10,000 members, filed its suit on Feb. 18.

Similar to claims already filed by First Choice Federal Credit Union and Inspire Federal Credit Union, the complaints alleged the breach compromised data from at least March 4, 2019 through Dec. 12, 2019, and that it affected cardholder names, credit and debit card numbers and card expiration dates. The Newtown, Penn.-based Inspire has $190 million in assets and about 14,000 members. The New Castle, Penn.-based First Choice has $46 million in assets and about 6,900 members.

The complaints also claimed the breach forced credit unions to replace member cards and cover fraudulent purchases.

“The data breach caused or will cause substantial damage to plaintiff and class members, who are acting immediately to mitigate the risk of a massive number of fraudulent transactions being made on payment cards that they issued while simultaneously taking steps to prevent future fraud,” the Greater Cincinnati complaint alleged. “Consumers are ultimately protected from most fraud loss, but plaintiff and class members are not. Financial institutions, like plaintiff and other class members, bear primary responsibility for reimbursing members/customers for fraudulent charges and covering the cost of issuing new cards for members/customers to use.”

In a Dec. 19, 2019 statement addressing the breach, Wawa CEO Chris Gheysens apologized for the breach incident and said malware did not affect PIN numbers, CVV2 numbers, ATMs or driver’s license information. In a Jan. 28 update, the company said it had become aware of reports of criminal attempts to sell some of the stolen card information.

Some of the stolen data has apparently hit the dark web, according to Greater Chautauqua FCU’s complaint.

“On or around January 27, 2020, approximately 30 million stolen credit card accounts were posted for sale on the popular internet fraud bazaar known as the ‘Joker’s Stash.’ The Joker’s Stash noted that the cards were from ‘a huge new nationwide breach’ that purportedly included more than 30 million stolen credit card accounts by thousands of financial institutions across 40 or more U.S. states. This batch of stolen credit cards has been identified on the Joker’s Stash as ‘BIGBADABOOM-III.’”

That data is particularly valuable to criminals — and could be particularly costly to card issuers, according to the court document.

“Gemini Advisory, a New York-based fraud intelligence company noted that the largest concentration of stolen cards for sale in the BIGBADABOOM-III batch map back to Wawa customers in Florida and Pennsylvania,” the complaint alleged. “Gemini Advisory also notes that the ‘median price of U.S.-issued records from this breach is currently $17, with some of the international records priced as high as $210 per card.’ Further, banks with a nationwide presence and financial institutions along the East Coast ‘have significant exposure.’”