By: Swati Khandelwal
Hackers Stole Customers’ Payment Card in Wawa, the Philadelphia-based gas and convenience store chain. Disclosed a data breach incident that may have exposed payment card information of thousands of customers who used their cards at about any of its 850 stores since March 2019.
What happened? According to a press release published on the company’s website, on 4th March, attackers managed to install malware on its point-of-sale servers used to process customers’ payments.
By the time it was discovered by the Wawa information security team on 10th December, the malware had already infected in-store payment processing systems at “potentially all Wawa locations.”
That means attackers were potentially stealing Wawa customers’ payment card information until the malware was entirely removed by its servers on 12th December 2019.
The company also said the malware was present on most locations’ point-of-sale systems by approximately 22nd April 2019, although some Wawa locations may not have been affected at all.
What has been compromised? The malware stole credit and debit card information, including card numbers, expiration dates, and customer names on the payment cards used at potentially all of its in-store payment terminals and gas pumps between 4th March 2019, and 12th December 2019.
What’s not been compromised? According to the company, debit card PINs, credit card CVV2 numbers, other PINs, driver’s license information used to verify age-restricted purchases, and other personal information were not affected by this malware.
Wawa also made it clear that the PoS malware never posed a risk to its ATM cash machines, and at the time of the data breach disclosure, the company was not aware of any unauthorized use of any payment card information as a result of this incident.
How Wawa addressed the payment card breach? The company’s information security team fully contained the malware within two days of its discovery, and immediately initiated an investigation by engaging a leading external forensics firm to investigate the incident and verify the extent of the breach.
Wawa also informed law enforcement to support their ongoing criminal investigation and notified payment card companies about the incident.
Wawa, which has over 850 convenience retail stores in Pennsylvania, New Jersey, Delaware, Maryland, Virginia, Florida, and Washington, DC, is also offering free identity theft protection and credit monitoring at no charge to anyone whose information may have been compromised.
“I apologize deeply to all of you, our friends and neighbors, for this incident,” said Wawa President and CEO Chris Gheysens. “You are my top priority and are critically important to all of the nearly 37,000 associates at Wawa. We take this special relationship with you and the protection of your information very seriously.”
What affected customers should do now? Customers who bought anything from any of the Wawa convenience stores since March this year are advised to monitor their payment card statements carefully.
In case you find any unauthorized charges, immediately notify the relevant payment card issuer of it and consider placing a fraud alert or security freeze on your credit file at Equifax, Experian, and TransUnion.
Also, if possible, you should consider blocking the affected payment card and requesting a new one from your respective financial institution.
Senior cybersecurity and privacy reporter, Swati is also managing director at ‘The Hacker News.’