The Wawa Breach is One of the Largest of All Time. When Do We Start Holding Companies More Accountable?
As reported by tech publication ZDNet, on January 24, 2020, hackers put the payment card details of more than 31 million customers up for sale on the black market. It was the end result of a security breach that occurred approximately a month before with the convenience store chain Wawa’s discovery of malware on its point of sale systems. It was operational for months before the store discovered it.
For anyone who’s been paying attention, this is a depressingly familiar story. It happened before with Home Depot and Target. Unless something changes, it will happen again.
Sure, Wawa’s reputation will be damaged for a while. Per legal assistance site Top Class Actions, it’s also facing a class-action lawsuit filed by impacted customers. We don’t doubt that it’s also going to face a regulatory penalty of some kind.
Yet for a major chain like Wawa, these are all drops in the bucket. By this time next year, it will once again be business as usual for Wawa. People will keep shopping at the chain, and its finances will inevitably recover. Frankly, this is unacceptable.
“What happens to the companies that allow our personal data to be stolen?” writes Rochester Institute of Technology Assistant Professor Josephine Wolff. “In most cases, nothing. Sometimes there is a short-lived flurry of bad publicity, a brief dip in stock prices, a class-action lawsuit or a Federal Trade Commission investigation that leads to a token settlement or fine.”
“The difficulty lies in trying to determine where the line is between companies that do their due diligence and those that are negligent,” she continues. “We are caught between two extremes: a weak regulatory system in the United States that refuses to so much as investigate the Equifax breach and a fine-based scheme in Europe that is so harsh that regulators will never be able to impose the maximum allowable penalties.”
What we need to do, notes Wolff, is strike a balance between Europe’s harsher regulatory system and the lack of tangible punishments in the United States.
Until we can do that, incidents like the Wawa breach will continue to happen. Until we can do that, companies like Wawa simply don’t have much of a reason to care.