Wawa wants $10.7M from Mastercard for “unjust” data breach penalty

Wawa Inc. has sued Mastercard International for at least $10.7 million for what the gas station chain claims were unjust penalties assessed for a 2019 data breach.

Wawa accused Purchase-based Mastercard of violating data security protocols in a lawsuit filed April 18 in U.S. District Court, White Plains.

Wawa gas station and food mart

The credit card company unjustly enriched itself, the complaint states, “through fraud, duress, and the taking of undue advantage by leveraging its position to unilaterally withhold funds that it knew or should have known it had no right to withhold.”

Mastercard spokesman Seth Eisen did not respond to an email asking for the company’s side of the story.

Wawa is based in a town by the same name near Philadelphia. For many years it operated a dairy, but when home delivery of milk began to decline in the 1960s it shifted to operating food marts to sell its products. Today, it runs hundreds of convenience stores and gas stations in Delaware, District of Columbia, Florida, Maryland, New Jersey, Pennsylvania and Virginia.

The dispute concerns Mastercard’s security protocols with the banks that accept payments for merchants. In this case, Bank of America processed transactions for Wawa when customers used credit cards or debit cards to buy gas.

In December 2019, Wawa discovered malware on its computer network that was designed to capture data embedded in the magnetic strips on payments cards when customers paid for fuel at the pumps.

Wawa notified Bank of America and the FBI, and it hired a forensic firm to investigate.

Investigators identified more than 5 million Mastercard accounts that were potentially affected, according to the complaint. But Wawa says investigators found no evidence that any account data were actually stolen.

Mastercard assessed Bank of America for nearly $17.9 million, based on their protocols for handling losses from fraud and for expenses incurred as a result of data security incidents.

But the entire penalty was for purported expenses incurred by Mastercard, according to the complaint, and $0 for fraud.

Bank of America objected to the penalty and Mastercard reduced the assessment to $10.7 million.

Wawa reimbursed Bank of America. In return, the bank assigned its legal rights against Mastercard to Wawa, thus setting up the lawsuit to recover the reimbursement.

Wawa argues that Mastercard violated its security protocols with Bank of America. Before it could assess a penalty against the bank, the complaint states, Mastercard had to demonstrate that the incident resulted in an actual theft of payment card data, the bank was responsible for the incident and at least 30,000 accounts were involved.

Wawa claims there is no evidence of an actual theft and no evidence that any one account, let alone 30,000, was affected. Therefore, Mastercard did not have the right to penalize Bank of America.

Wawa also claims that Mastercard’s purported expenses were based on estimates and assumptions and not on actual losses.

Wawa accused Mastercard of breaches of contract and fair dealing, unjust enrichment, and deceptive acts and practices.

It is demanding unspecified damages, but it cites a law in North Carolina, where Bank of America is based, that allows for treble damages. Based on the company’s $10.7 million reimbursement to the bank, alleged damages would amount to nearly $32.1 million.

Wawa is represented by Boston attorneys Douglas H. Meal and Seth Harrington.