Wawa discovered a nine-month long data breach, but doesn’t know who launched the cyberattack that went undetected for so long.
The convenience store retailer discovered malware on Wawa payment processing servers on December 10, 2019, and contained it by December 12, 2019, and said it “believes it no longer poses a risk to customers.” After discovering this malware, Wawa engaged a leading external forensics firm and notified law enforcement.
The malware began running at different points in time after March 4, 2019. It compromised cardholder names, numbers, and expiration dates used in-store and at gas pumps at “potentially all” of its more than 850 stores since March 4. The ATM cash machines in Wawa stores were not impacted by this incident.
Although the dates may vary and some Wawa locations may not have been affected at all, this malware was present on most store systems by approximately April 22, 2019, Chris Gheysens, Wawa CEO, said in an update.
"At Wawa, the people who come through our doors are not just customers, they are our friends and neighbors, and nothing is more important than honoring and protecting their trust," said Gheysens in a press release. "Once we discovered this malware, we immediately took steps to contain it and launched a forensics investigation so that we could share meaningful information with our customers. I want to reassure anyone impacted they will not be responsible for fraudulent charges related to this incident. To all our friends and neighbors, I apologize deeply for this incident."
Wawa is supporting its customers by offering identity protection and credit monitoring services at no charge to them. Wawa has also established resources to answer customers' questions, including a dedicated call center that can be reached at 1-844-386-9559, Monday - Friday, between 9:00 am and 9:00 pm Eastern Time or Saturday and Sunday between 11:00 am and 8:00 pm, excluding holidays.