Wawa’s data breach hits close to home but reflects global problem | Editorial

With 850 locations from New Jersey to Florida, 700 million customers a year, and more than $12 billion in annual sales, Wawa — which opened its first convenience store 56 years ago in Delaware County — is no longer just a Philly regional favorite. So the questions about a breach of customer data that went undetected for nine months in 2019 have more than local ramifications; a half-dozen lawsuits have been filed in federal court, alleging that Wawa’s computer system was not adequately protected from hackers. Meanwhile the privately held company’s tight-lipped, strictly by-the-numbers response so far strikes us as underwhelming.

Beginning March 4, names, numbers, and expiration dates on customer credit and/or debit cards were compromised by a cyber hack that installed malware on servers used to process gas pump and in-store transactions at potentially all Wawa locations. Drivers licenses, birth dates, and other consumer data were not hacked, according to the company, which said it discovered the malware December 10 and contained it by Dec. 12. Wawa announced the breach on Dec. 19 and posted an “open letter” from CEO Chris Gheysens.

Wawa’s is just the latest of many such hacks at businesses that collectively and relentlessly erode public trust and individual privacy. Those include Target in 2013, and also involve the inadvertent postings of private data by public agencies, such as Philadelphia’s public health department.

Even more maddening: The Wawa hack was discovered about a month after Visa, the nation’s largest credit card network, warned that gas pumps using magnetic-stripe card readers are vulnerable to hacking.

As for what looks to us like a week’s delay in notifying customers about the hack, Wawa’s response is governed by state law that experts say can allow a privately held company some leeway in notification until a breach is found likely to “cause loss or injury" to customers, The Inquirer’s Joseph N. DiStefano noted in his Jan. 5 column.

» READ MORE: Wawa faces wave of lawsuits in aftermath of massive data breach

» READ MORE: Wawa says data breach exposed credit card information at potentially all locations

That could change. The National Conference of State Legislatures says Pennsylvania and New Jersey are among some 25 states mulling over legislation to bolster consumer data protection. Pennsylvania’s bill, introduced in April, would improve consumer access to and control over what information businesses collect about them and how it is used. New Jersey is considering bills that would establish obligations for businesses.

Last May, officials from the Federal Trade Commission testified before the House Energy and Commerce Subcommittee on Consumer Protection and Commerce in support of such efforts at the federal level. And U.S. Sen. Ron Wyden, a Washington state Democrat who is a leader in technology issues, has proposed the aptly named “Mind Your Own Business Act" to impose monetary and other possible penalties — such as jail time for company officials — for certain violations of customer privacy, require clear federal rule-making, and increase resources for FTC enforcement.

Meanwhile, consumers are losing their personal and financial privacy to hackers. Tech innovations allowing us to do more and more online move at the speed of light. Meanwhile, laws and policies that protect consumers move as slowly as snail mail. Time for lawmakers — and businesses — to take this seriously, and get moving.