Wawa Inc. discovered malware on its payment processing servers this month before stopping the breach Dec. 12, the company has said. Officials with the company, based in Wawa, Pennsylvania, believe the malware had been collecting card numbers, customer names and other data since as early as March.
The Philadelphia Inquirer reported Friday that at least six lawsuits seeking class-action status have been filed in federal court in Philadelphia.
"The data breach was the inevitable result of Wawa's inadequate data security measures and cavalier approach to data security," said one suit, filed by the law firm Chimicles Schwartz Kriner & Donaldson-Smith, of Haverford.
A Wawa spokesman declined to comment on the pending litigation.
The breach affected all stores, which stretch along the East Coast from Pennsylvania to Florida. In-store payments and payments at fuel dispensers were affected, but cash machines were not.
Wawa has said it will offer free credit card monitoring and identity theft prevention services to anyone whose information might have been collected.
Police are investigating, and the company has also hired a forensics firm to conduct an internal investigation.