MEDIA, Pa. — Wawa Inc. experienced a data breach that potentially affected all the convenience store retailer's locations.
In an open letter to customers, Wawa CEO Chris Gheysens said malware affected payment card information used at potentially all Wawa locations beginning at different points in time after March 4, 2019 and until it was contained on Dec. 12.
"At this time, we believe this malware no longer poses a risk to Wawa customers using payment cards at Wawa, and this malware never posed a risk to our ATM cash machines," he said.
Although the dates may vary and some Wawa locations may not have been affected at all, the malware was present on most store systems by approximately April 22, 2019. The retailer's information security team identified the malware on Dec. 10, and by Dec. 12, it had blocked and contained the malware.
"We also immediately initiated an investigation, notified law enforcement and payment card companies, and engaged a leading external forensics firm to support our response efforts," Gheysens continued. "Because of the immediate steps we took after discovering this malware, we believe that as of December 12, 2019, this malware no longer poses a risk to customers using payment cards at Wawa."
Based on the convenience retailer's investigation, the malware affected payment card information, including credit and debit card numbers, expiration dates, and cardholder names on payment cards. Information not accessed by the malware includes: debit card PIN numbers, credit card CVV2 numbers (the three or four-digit security code printed on the card), other PIN numbers, and driver’s license information used to verify age-restricted purchases.
In addition to blocking and containing the malware, and conducting an investigation, Wawa is working with law enforcement and taking steps to enhance the security of its systems, according to Gheysens. The company also arranged for a dedicated toll-free call center to answer customer questions and offer credit monitoring and identity theft protection without charge to anyone whose information may have been involved.
Customers whose information may have been involved can click here for more information on what next steps to take.
"I apologize deeply to all of you, our friends and neighbors, for this incident. You are my top priority and are critically important to all of the nearly 37,000 associates at Wawa," Gheysens said. "We take this special relationship with you and the protection of your information very seriously. I can assure you that throughout this process, everyone at Wawa has followed our longstanding values and has worked quickly and diligently to address this issue and inform our customers as quickly as possible."
Based in Pennsylvania, Wawa operates more than more than 870 c-stores, with 600-plus offering fuel, in Pennsylvania, New Jersey, Delaware, Maryland, Virginia, Florida and Washington, D.C.