Wawa Data Breach Communication Sets the Right Tone

An open letter to Wawa, Inc., from French Caldwell with contributions from Richard Stiennon.

Dear Wawa, Inc.,

Other than being a regular customer, I hardly know you.  But good job on the crisis response.  Thanks.

I’m sure you’ll figure out what went wrong that led to the breach of customer credit card data and what could have been done to detect the breach sooner.  And you’ll improve your cybersecurity risk management.  So, why do I have this confidence in you?  Well, it’s because of your crisis communication.  Let me count the ways:

1 — You brought in the experts quickly and within 2 days, you removed the malware from your point-of-sale systems.

2 — You took some time, but not too much time to assess the situation and announce the breach to your customers and the public.  To the uninitiated, 9 days after the breach may seem a long time — but there are companies and governments that have taken years to announce breaches.

3 — Your announcement came directly from the CEO and it was the right tone.  He apologized and reassured; he made no excuses.

4 — The letter from your CEO was informative and helpful.  After the apology, he clearly explained what happened, what you are doing about it, what steps customers can take, and where to get more information.

5 — All that said, a nine month dwell time for malware on your point of sale devices is simply horrible. It implies that you were not doing regular checks or do not have network monitoring and managed detection and response in place. I am confident that your security team now knows what needs to be done and will take the necessary steps to ensure that dwell time is reduced to hours, not months.

Let’s see what happens next, but so far, I’m impressed with your crisis communications.  I’m hoping your experience turns into a positive case study on cyber risk, incident response, and crisis management.

As a Wawa customer — apology accepted.


The views and opinions in this analysis are my own and do not represent positions or opinions of The Analyst Syndicate. Read more on the Disclosure Policy.

Leave a Reply