Wawa claims “potentially all” locations affected
Convenience store and gas station chain Wawa has experienced a data breach that most likely impacted its all 850 stores. The company’s security team found malware on its payment processing servers on December 10 and managed to get it contained by December 12. The affected information included names, credit and debit card numbers, as well as their expiration dates.
In its notice to the public on December 19, Wawa explained that the malicious activity was present on its payment processing systems since March 4, 2019, until it was contained by the internal security team. Customers who were visiting one of Wava’s stores to buy themselves a scan or fill in gas during that time might be affected.
Wawa said that customers could feel safe when making purchases as of December 12 at its stores. President and Chief Executive Officer of Wawa Chris Gheysens said that the company is deeply sorry for the incident, and promised to do everything to ensure customers’ safety:[1]
I apologize deeply to all of you, our friends and neighbors, for this incident. You are my top priority and are critically important to all of the nearly 37,000 associates at Wawa. We take this special relationship with you and the protection of your information very seriously.
Wawa is a large retailer within the US East Coast, operating stores in Pennsylvania, Maryland, Virginia, Florida, Washington D.C., and other states. Due to the number of the affected stores, it is believed to be one of the biggest credit card data breaches of the year.[2]
No other critical information affected
Upon discovering the intrusion, Wawa immediately took the necessary steps to contain it and managed to do so in the upcoming two days. The company also contacted a “leading external forensics firm” to investigate the data breach further, as well as law enforcement. In the meantime, Wawa said it is in the process of improving its security of payment systems.
While it is highly likely that all the stores were affected, it is not all doom and gloom, however. While the first signs of malicious activity were present on March 4, Wawa said that malware managed to get its way through to most of the stores by April 22. The company also noticed that there might be that some customers, as well as some locations, might not have been impacted at all.
Another good news is that malware did not manage to breach other sensitive details about Wawa’s customers, such as CVV2 codes, credit/debit card (as well as other) PINs, and all the information within the driver’s licenses that are used to verify age-restricted purchases.
Wawa’s customers should act immediately
Point-of-Sale (POS) malware[3] has become a real issue for many modern companies in the past few years, as criminal groups like Magecart are capable of injecting a malicious JavaScript code into high profile targets’ payment sites without being noticed for months. While there is no information whether Magecart was the culprit this time, considering its previous targets like British Airways[4] or Ticketmaster,[5] it is highly likely to be the case.
As a result of the incident, Wawa arranged a dedicated toll-free call center (1-844-386-9559) to answer all the questions regarding the breach as well as a one-year identity theft protection plan with Experian. If you visited one of the Wawa stores since on or after March 4, you might be affected – contact the provided number for further instructions and monitor your payment card account statements.