The AG deal follows the settlement last year of a class action suit by Wawa customers over the same incident for up to $9 million, plus $3.2 million in legal fees.
Wawa comes in as the third biggest settlement won by attorneys general from a major retailer over a credit card data breach, after Target ($18.5 million in 2017) and Home Depot ($17.5 million in 2020).
The company also agreed to make extensive security improvements over the next six months, including audits of PCI DSS compliance, pen testing and awareness training.
RiskLens is the leader in quantitative analysis of cyber risk
Wawa is a private company and does not have to disclose the costs of the incident but the RiskLens data science team estimates that final costs would most likely be in the range of:
Learn more about data science at RiskLens
According to the Verizon DBIR, retailers suffered 629 cyber incidents in 2021, including 241 with confirmed data breaches. That put the industry at #9 for total incidents and #8 for number of data breaches among the 21 industries surveyed.
One notable retailer data breach announced in 2021: Neiman Marcus notified customers that it had learned of a payment-card data breach from 16 months earlier. Attorneys filed a class action suit this year on behalf of 4.6 million customers.
RiskLens data science estimates risk (or loss event probability) for companies in an industry sector based on historic performance plus a wide range of parameters such as revenue, number of employees and number of database records.
The probability of data breaches is relatively low in retailing – the sector comes in second from the bottom of the 10 industries RiskLens tracks, at 2.5% overall mean annual event probability. As you might imagine for an industry that stores large amounts of PCI, retailing is 3x as likely to accrue secondary response costs compared to the average of all sectors, and those costs are 40% higher than the average.
According to RiskLens data science, shown below is the likelihood that the common types of cyber loss events would occur and cost on an annual basis for a retail enterprise, based on industry averages. We pulled these numbers from the RiskLens My Cyber Risk Benchmark tool.
As a point of comparison, take a system intrusion such as Wawa suffered: The average retail operation has a 4.9% probability of annual occurrence for a $44.7 million loss. Among large retail enterprises, the probability is lower at a 2.7% chance of an event but at a higher cost, $461 million, with the great majority of the cost going to incident management, a reflection of the size and complexity of a large enterprise in the retail segment.
To rate security posture, the Benchmark tool incorporates grading by Security Scorecard. Here’s how the annual probabilities of a system intrusion attack go up for a retail enterprise as security grades go down.
Stats in this blog post were pulled from the RiskLens My Cyber Risk Benchmark tool, powered by RiskLens data science (with security ratings from Security Scorecard). See how your industry and your organization stack up – get a free trial of My Cyber Risk Benchmark.