Wawa sues payments giant Mastercard over data breach penalty

Pennsylvania-based convenience store and gas station chain Wawa has lodged a lawsuit against the largest credit card network giant Mastercard in New York federal court on Monday, demanding a refund of $10.7 million it paid last year for data breach penalties linked to a 2019 breach of its customer payment security systems.

Wawa claimed in the lawsuit that the penalties it had to pay were illegal and that Mastercard had broken its rules by imposing an “unfair” penalty per account on customer accounts.

Wawa also claimed that Mastercard’s fine assessment was invalid because it was not based on actual losses or expenses that Mastercard or its insurers had incurred. Wawa claimed that the fines imposed by its credit card bank, Bank of America, violated Mastercard’s customer dispute standards and “basic principles of fairness, equity, and good conscience.”

Last August, Mastercard fined Bank of America $17.8m, claiming that the incident affected more than 5 million cardholders. The penalty was later reduced to $10.7m after Bank of America appealed against it, although Mastercard denied any errors in assessing the fine.

Wawa claimed that it paid the money under “duress” to its credit card bank, Bank of America, which forwarded it to Mastercard. It is now demanding that Mastercard pays it $32m in damages. The company alleged there was no evidence for Mastercard to determine that Bank of America was responsible for the breach. Mastercard didn’t respond to requests for comment.

In 2019, Wawa discovered hackers stealing card users’ information from its old-fashioned and easier-to-hack magnetic-stripe card readers at the gas pumps in 842 locations across Pennsylvania, New Jersey, Delaware, Maryland, Virginia, Washington, DC, and Florida.

Due to “circumstances beyond its control” caused by delayed the necessary software and hardware installation, Wawa admittedly took years to replace the chip readers and finally completed the installations by March 2020. In 2021, the company agreed to pay up to $9 million, in cash or gift cards, to consumers whose data were compromised.