In December 2019, Wawa CEO Chris Gheysens announced that malware that steals credit card information had potentially been operating at Wawa’s 842 locations across Pennsylvania, New Jersey, Delaware, Maryland, Virginia, Washington, DC and Florida since March.
Last year, Wawa turned over $10.7m to the payment-card network in connection with the security incident. In a suit filed on Monday in federal court in New York, Wawa claimed that the penalties it paid were unlawful.
The complaint alleges that the fines issued by its credit card bank, Bank of America, to Wawa violated Mastercard’s standards for customer-related disputes and “basic principles of fairness, equity and good conscience.”
According to the suit, Mastercard violated its standards by imposing an “unfair” penalty per account on customer accounts. Wawa claims Mastercard’s assessment of the fine was invalid because it was not based on actual losses or expenses suffered by Mastercard or its insurers due to the card-skimming incident.
Mastercard fined Bank of America $17.8m over the data breach last August, claiming that more than 5 million cardholders had been affected by the incident. The penalty was later reduced to $10.7m after Bank of America appealed against it, although Mastercard denied any errors in its assessment of the fine.
Wawa claims that it made the payments to Bank of America under duress and is now demanding that Mastercard pays it $32m in damages. The company alleges that there was no evidence for Mastercard to determine that Bank of America was responsible for the breach.
Wawa stated in the lawsuit that a program completed in March 2020 to replace magnetic stripe card readers on its gas pumps with chip readers had been delayed by “circumstances beyond its control.”
In September 2021, Wawa agreed to pay $9m in cash and gift cards to settle a class-action lawsuit filed against it over the breach. The company also agreed to spend $35m upgrading its cybersecurity.