Wawa, which operates hundreds of convenience stores along the East Coast, has reported details of a payment card data breach lasting nine months and potentially affecting all locations.
Consumers who used a credit or debit card at a Wawa location after March 4 may be exposed. In a statement, the company said the breach potentially exposed card numbers, expiration dates, and cardholders’ names.
Wawa says its security team found the malware on the company’s payment processing servers on December 10 and contained it two days later. The company says it brought in a forensics firm whose investigators determined that the malware began running at different times after March 4.
Consumers face no liability
Wawa CEO Chris Gheysens apologized to customers and said the company believes the malware no longer poses a risk.
"Once we discovered this malware, we immediately took steps to contain it and launched a forensics investigation so that we could share meaningful information with our customers,” Gheysens said. “I want to reassure anyone impacted they will not be responsible for fraudulent charges related to this incident.”
Wawa customers who used a payment card at any location in the last nine months should carefully examine their bank and credit card statements during that time for unauthorized charges.
Customers should also notify the fraud departments of their card issuers to tell them the card was used at Wawa and may be potentially compromised. The institution may decide to issue new cards as a precaution.
Free credit monitoring
Wawa said it is offering identity protection and credit monitoring services at no charge to affected customers. You’ll find information about signing up here.
The company did not say -- and may not know -- how the system was breached. But as we reported earlier this week, fraudsters attacking gas pumps have become more sophisticated, using email phishing schemes to trick employees into downloading malware, which then makes its way to the card processing network.
When a customer buys gas with a credit card, the point-of-sale system sends the unencrypted data to the company’s main network where the scammer’s software is waiting to capture it. In issuing a warning, Visa said many companies make it easier for thieves by not walling off this data from the rest of the network.