WAWA, Pa. — Wawa Inc. has experienced a data breach involving malware that may have affected customers using credit and debit cards at the convenience-store chain’s approximately 860 locations in Pennsylvania, New Jersey, Delaware, Maryland, Virginia and Florida.
“Our information security team discovered malware on Wawa payment processing servers on Dec. 10, 2019, and contained it by Dec. 12, 2019,” said Chris Gheysens, president and CEO of the Wawa, Pa.-based retailer, in a notice posted on its website. “This malware affected customer payment card information used at potentially all Wawa locations beginning at different points in time after March 4, 2019, and until it was contained. At this time, we believe this malware no longer poses a risk to Wawa customers using payment cards at Wawa.”
The malware never posed a risk to the chain’s ATMs, he said.
“Although the dates may vary and some Wawa locations may not have been affected at all, this malware was present on most store systems by approximately April 22, 2019,” Gheysens said.
When Wawa’s information security team discovered the malware Dec. 10, the company immediately started an investigation and notified law enforcement and payment card companies, he said. “Because of the immediate steps we took after discovering this malware, we believe that as of Dec. 12, 2019, this malware no longer poses a risk to customers using payment cards at Wawa,” he said.
The malware affected payment card information, including credit and debit card numbers, expiration dates and cardholder names on cards used at Wawa in-store payment terminals and fuel dispensers, Wawa said, and no other personal information was accessed by this malware. It did not affect PINs, credit card CVV2 numbers (the three- or four-digit security code printed on the card) and driver’s license information used to verify age-restricted purchases.
Click here to read the full notice.