In July, 2022, Wawa, the convenience store/gas station operator, agreed to pay up to $8 million to attorneys general for seven states and the District of Columbia, to settle a lawsuit over the breach in 2019 of PCI that compromised about 34 million credit cards. Hackers inserted malware and rooted around Wawa’s systems for eight months due to lax security, the attorneys general alleged, including failure to follow the PCI DSS standard and an SIEM that didn’t send alerts (Wawa admitted no culpability in the settlement).
The AG deal follows the settlement last year of a class action suit by Wawa customers over the same incident for up to $9 million, plus $3.2 million in legal fees.
Wawa comes in as the third biggest settlement won by attorneys general from a major retailer over a credit card data breach, after Target ($18.5 million in 2017) and Home Depot ($17.5 million in 2020).
Estimate of Probable Costs for Wawa from the Data Breach
Wawa is a private company and does not have to disclose the costs of the incident but the RiskLens data science team estimates that final costs would most likely be in the range of:
- $86.2M for Primary Response Costs (incident response)
- $2.3M for Secondary Fines & Judgments (levied by government regulators, for instance)
- $8.7M for Secondary Response Costs (incl. lawsuit settlements or other payments to customers)
- $97.2M Total
Retail Industry Data Breach Count
According to the Verizon DBIR, retailers suffered 629 cyber incidents in 2021, including 241 with confirmed data breaches. That put the industry at #9 for total incidents and #8 for number of data breaches among the 21 industries surveyed.
One notable retailer data breach announced in 2021: Neiman Marcus notified customers that it had learned of a payment-card data breach from 16 months earlier. Attorneys filed a class action suit this year on behalf of 4.6 million customers.
Most Probable Cyber Risks by Incident Frequency and Loss for Retailers
RiskLens data science estimates risk (or loss event probability) for companies in an industry sector based on historic performance plus a wide range of parameters such as revenue, number of employees and number of database records.
The probability of data breaches is relatively low in retailing – the sector comes in second from the bottom of the 10 industries RiskLens tracks, at 2.5% overall mean annual event probability. As you might imagine for an industry that stores large amounts of PCI, retailing is 3x as likely to accrue secondary response costs compared to the average of all sectors, and those costs are 40% higher than the average.
According to RiskLens data science, shown below is the likelihood that the common types of cyber loss events would occur and cost on an annual basis for a retail enterprise, based on industry averages. We pulled these numbers from the RiskLens My Cyber Risk Benchmark tool.
Enterprise Size and Security Posture Make a Difference in Retail Sector Cyber Risk
As a point of comparison, take a system intrusion such as Wawa suffered: The average retail operation has a 4.9% probability of annual occurrence for a $44.7 million loss. Among large retail enterprises, the probability is lower at a 2.7% chance of an event but at a higher cost, $461 million, with the great majority of the cost going to incident management, a reflection of the size and complexity of a large enterprise in the retail segment.
To rate security posture, the Benchmark tool incorporates grading by Security Scorecard. Here’s how the annual probabilities of a system intrusion attack go up for a retail enterprise as security grades go down.
- A = 2.7%
- C = 5.2%
- F = 7.9%
Stats in this blog post were pulled from the RiskLens My Cyber Risk Benchmark tool, powered by RiskLens data science (with security ratings from Security Scorecard). See how your industry and your organization stack up – get a free trial of My Cyber Risk Benchmark.