Photo: Getty Images/gsheldon
Is Wawa in hot water over its data breach?
Popular regional convenience store chain Wawa has been scaling and modernizing quickly, but a big data breach could rattle its growing, ardent fan base.
On Dec. 19, Wawa posted a public notice of a data breach, detailing a long-term cyberattack and its potential impact on customers. The malware, which was discovered on Dec. 10, had potentially been running on all of the chain’s point-of-sale processing systems from March 4 onward, with most locations having been impacted by Apr. 22. By Dec. 12, Wawa was able to contain the malware, but all Wawa customers who used in-store payment terminals and fuel dispensers (not Wawa ATMs) at any of Wawa’s locations during the 10 month span of the attack are at risk of their data having been compromised.
Credit/debit card numbers, expiration dates and cardholder names were potentially stolen. Wawa hired a forensics firm to investigate the breach, and in the notice pointed potentially impacted customers to resources they could use to address any issues arising from the breach.
In an interview with Newsweek, cybersecurity expert Liv Rowley points out that Wawa was likely still accepting the less secure magnetic stripe payment processing cards. That would mean the chain had yet to implement the EMV (chip) payment processing, which is more secure against this type of fraud. The technology, in use throughout Europe, was introduced in the U.S. in 2015.
While in the last five years news of data breaches has become commonplace to the point that they often don’t register with the public, incidents of this magnitude tend to make waves.
In 2017 credit reporting agency Equifax experienced a data breach compromising hundreds of millions of records, launching a public discussion about cybersecurity through the U.S.
In retail, Target’s notorious 2013 Thanksgiving point-of-sale data breach became a PR disaster for the store as customers vented outrage against the chain and derided its slow response.
In 2017, Target paid a $18.5 million settlement to 47 states and the District of Columbia to resolve an investigation into the 2013 breach, according to NBC News. The chain estimated the total cost of the data breach at $202 million.
BrainTrust
Dave Bruno
Director, Retail Market Insights, Aptos
Richard J. George, Ph.D.
Professor of Food Marketing, Haub School of Business, Saint Joseph's University
Frank Riso
Principal, Frank Riso Associates, LLC
Discussion Questions
DISCUSSION QUESTIONS: Will Wawa experience a significant impact from the data breach and what might that impact be? Will Wawa need to take more steps to recover from the breach?
News of data breaches has, unfortunately, become commonplace. And with few exceptions, again, unfortunately the news of such attacks goes away within the next few news cycles. So, likely this will be a blip on the screen and the majority of Wawa’s loyal shoppers will still shop with them. With the coming of CCPA and other future privacy regulations, however, privacy issues may become more and more a part of the conversation.
The Wawa brand is a very strong one and so they will still do well once the steps to protect their customers are complete. The impact will be minimal. They will prove to their customers that they are safe and we can get our Philly Soft Pretzels and lower gas prices again.
Wawa has an extremely loyal customer base. People refer to “my Wawa” in conversation wherever their stores are located. Will the data breach hurt? Yes, they always do, but I expect that the impact on the Wawa faithful will not be significant.
Another day, another breach. Most consumers are numb to these incidents and the free credit monitoring offers that will inevitably follow. At this point, I have more monitoring services than I do creditors. As long as Wawa is perceived as having taken swift and appropriate action, I don’t expect any meaningful impact to the brand.
I agree with you, Dave, that the impact will be minimal. But, isn’t amazing and unfortunate that any retailers are still not chip-compliant and even more astounding how long it takes some retailers to find malware and how little protection they really provide consumers? Many of these businesses are extremely large and I think they have an obligation to provide better card and data security for their shoppers.
Since consumers have no real skin in the game, I just don’t think they/we care.
Couldn’t agree more, Paula…
Exactly, the impact to consumers are spread out and most of it is handled by the financial institutions who aren’t putting the pressure on retailers and treat it as a cost of doing business
Wawa will endure minimal negative customer impact due to this data breach. Wawa customers refer to their stores as “My Wawa.” CEO Chris Ghysens’ letter to customers was a combination of transparency and empathy. Once the breach was found, I am told, Wawa went public within a couple of hours, saying and doing the right things.
The challenge to Wawa going forward is twofold: 1. Determining why it took so long to discover the breach, 2. Making the necessary capital and IT investments to prevent such a breach from occurring again. Note that most Wawa customers view their Wawa as family and with family the first mistake is often easily forgiven, not the same mistake twice.
You get the notice from the retailer telling you of a breach and advising you to change all your passwords and maybe your email address. Frankly, I ignore those notices. I have enough trouble with my own passwords. Maybe one day I will be sorry, but no disasters yet.
For several years we have seen the headlines of massive data breaches. The numbers are mind boggling. But how many of us have sensed in any way we have been personally breached? This has become just plain ho-hum. It will not impact Wawa nor will it affect whoever is next.
It’s “ho hum” unless you have your identity stolen. At that point, it becomes a crisis that is not easily fixed.
Very true.
No, nobody really cares … whether that’s good or bad I’m not sure. But back to Wawa itself: “popular” seems like an understatement. It’s my understanding the chain enjoys a cult-like following — Apple with fountain drinks, I guess — so it would be interesting to see a study evaluating if a store’s reputation/popularity has any impact on how a breach is perceived (my earlier comment that “nobody cares” notwithstanding).