Convenience Store Chain Wawa Says Malware Affected Payment Servers
The chain’s CEO says ‘malware was present on most store systems by approximately April 22, 2019.’
Wawa, a Pennsylvania-based convenience store chain that has more than 800 locations on the East Coast, said on Thursday that it suffered a massive data breach starting this past March.
In a letter to customers posted on its website, Wawa CEO Chris Gheysens acknowledged that the company discovered malware on Wawa payment processing servers on Dec. 10, 2019, and “contained it by December 12, 2019.”
“This malware affected customer payment card information used at potentially all Wawa locations beginning at different points in time after March 4, 2019 and until it was contained,” Gheysens said. “At this time, we believe this malware no longer poses a risk to Wawa customers using payment cards at Wawa, and this malware never posed a risk to our ATM cash machines.”
Gheysens said that customers “will not be responsible for any fraudulent charges on your payment cards related to this incident.” He also said that although the dates may vary ”and some Wawa locations may not have been affected at all, this malware was present on most store systems by approximately April 22, 2019.”
Gheysens also said that the malware affected payment card information, including credit and debit card numbers, expiration dates, and cardholder names on payment cards used at potentially all Wawa in-store payment terminals and fuel dispensers beginning at different points in time after March 4, 2019 and ending on Dec. 12, 2019.
“No other personal information was accessed by this malware,” he said. “Debit card PIN numbers, credit card CVV2 numbers (the three or four-digit security code printed on the card), other PIN numbers, and driver’s license information used to verify age-restricted purchases were not affected by this malware.”
Gheysens said that if customers did not use a payment card at a Wawa in-store payment terminal or fuel dispenser during the relevant time frame, your information was not affected by this malware.
“At this time, we are not aware of any unauthorized use of any payment card information as a result of this incident. The ATM cash machines in our stores were not involved in this incident,” he said.
Wawa has locations in Delaware, Maryland, New Jersey, Pennsylvania, Virginia and Florida.