East Coast convenience store chain Wawa agreed to pay $8 million in a settlement with a coalition of seven attorneys general announced Tuesday over its 2019 data breach that exposed the debit and credit card information of approximately 34 million payment cards.

Wawa neither admitted nor denied the investigation’s findings, which alleged the retailer “failed to employ reasonable data security measures” after a 2019 malware attack compromised its payment processing servers.

The settlement further alleged Wawa’s information security team failed to review alerts regarding the data breach, which constituted violations of state laws regarding consumer and personal information protection.

In December 2019, Wawa Chief Executive Chris Gheysens acknowledged the incident in an open letter to customers. The breach lasted from March 4, 2019, until it was contained on Dec. 12, 2019, he said, and the company “immediately initiated an investigation, notified law enforcement and payment card companies, and engaged a leading external forensics firm to support our response efforts” upon its discovery.

As part of the settlement, Wawa agreed to implement and maintain a series of data security practices designed to strengthen its information security program and safeguard the personal information of customers, including:

  • Obtaining an information security compliance assessment and report from a third party using generally accepted procedures and standards within one year;
  • Maintaining a comprehensive information security program designed to protect consumers’ sensitive personal information;
  • Providing resources necessary to implement the company’s information security program;
  • Providing appropriate security awareness and privacy training to all personnel who have key responsibilities for implementation and oversight of the information security program; and
  • Employing specific security safeguards with respect to logging and monitoring, access controls, file integrity monitoring, firewalls, encryption, penetration testing, intrusion detection, and vendor account management.

Pennsylvania Attorney General Josh Shapiro, along with acting New Jersey Attorney General Matthew Platkin, led the investigation, with the help of attorneys general of Delaware, Florida, Maryland, Virginia, and the District of Columbia.

The $8 million agreement is the third largest attorneys general credit card breach settlement behind Target ($18.5 million) and The Home Depot ($17.5 million), according to a press release from Shapiro’s office.

Wawa did not respond to a request for comment.