- Hollis Johnson
- Wawa discovered a data breach caused by malware that began running on its payment processing systems in early March.
- The nine-month data breach affected credit and debit card numbers, expiration dates, and cardholder names at potentially all of the thousands of purchases made in Wawa locations and at fuel dispensers.
- Wawa is encouraging customers to review their credit and debit card account statements and is providing customers a free year of identity theft protection and credit monitoring.
- Sign up for Business Insider’s retail newsletter, The Drive-Thru, to get more stories like this in your inbox.
- Visit Business Insider’s homepage for more stories.
Wawa announced on Thursday that it had discovered a data breach that could have impacted customers over the last nine months.
“Our information security team discovered malware on Wawa payment processing servers on December 10, 2019, and contained it by December 12, 2019,” Wawa CEO Chris Gheysens wrote in a public letter. “This malware affected customer payment card information used at potentially all Wawa locations beginning at different points in time after March 4, 2019 and until it was contained.”
According to Gheysens, in-store payment processing systems were impacted by the data breach starting in March. By late April, the malware was running on payment processing systems in most Wawa locations.
The data breach affected credit and debit card numbers, expiration dates, and cardholder names for potentially all purchases made in Wawa locations and at fuel dispensers. No other personal information was accessed, including PIN numbers, credit card CVV2 numbers, and driver’s license information. ATM cash machines located in Wawa locations were also not impacted.
Gheysens said that the company believed the malware no longer posed a risk to Wawa customers and that the company has “initiated an investigation, notified law enforcement and payment card companies, and engaged a leading external forensics firm to support our response efforts.”
Wawa is encouraging customers to review their credit and debit card account statements. The company is also providing customers who may have been impacted a free year of identity theft protection and credit monitoring via Experian. More information on how customers can protect their information is available on the Wawa website.
“I apologize deeply to all of you, our friends and neighbors, for this incident,” Gheysens wrote in the letter on Thursday. “You are my top priority and are critically important to all of the nearly 37,000 associates at Wawa. We take this special relationship with you and the protection of your information very seriously.”