Wawa revealed to its customers that a data security breach has impacted all of their store locations. The post was written by CEO Chris Gheysens, who apologized to customers and reassured them that the customers will not be responsible for any fraudulent charges on their payment cards.
Based on our investigation to date, we understand that at different points in time after March 4, 2019, malware began running on in-store payment processing systems at potentially all Wawa locations. Although the dates may vary and some Wawa locations may not have been affected at all, this malware was present in most store systems by approximately April 22, 2019. Our information security team identified this malware on December 10, 2019, and by December 12, 2019, they had blocked and contained this malware.
The data breach included credit cards and debit card numbers, expiration dates, and cardholder names on payment cards used at potentially all Wawa in-store payment terminals and fuel dispensers at different points in time after March 4, 2019, and ending on December 12, 2019.
CEO Chris Gheysens says that no other personal information was affected by this malware. Debit card PIN numbers, credit card CW2 numbers, other PIN numbers, and driver’s license information used to verify age-restricted purchases were not affected by this malware.
As is typical after a company realizes a data breach has occurred, Wawa has information in its website for those who have been affected by the breach. It includes the usual advice one would expect. Wawa is offering free credit monitoring and identify theft protection to customers affected by the breach.
The Verge notes that CEO Chris Gheysens “doesn’t begin to suggest how the malware got there or who might have been trying to get customers’ payment information.”
It is too bad that Wawa failed to notice the malware until very recently. The unfortunate result is that Wawa customers now have to worry about whether their credit card information is secure while trying to finish buying gifts for loved ones during the holiday season.