Wawa suffers massive data breach, potentially compromising customers' credit, debit card data

Convenience store officials believe payment systems at most – if not all – of its locations were exploited by malware during the last 10 months

Wawa discovered malware on its payment processing servers this week, which affected customer payment card information dating back to March of 2019.
Thom Carroll/for PhillyVoice

Wawa discovered malware on its payment processing servers this week, potentially exposing the credit and debit card information of customers who used payment cards at any store dating back to March of this year, the company announced Thursday.

The company believes credit and debit card numbers, expiration dates, and cardholder names on payment cards were affected by the malware, but not debit card PIN numbers, credit card CVV2 numbers, or driver's license information. The hack potentially affects credit and debit cards used inside Wawa stores and at gas pumps.

The malware is believed to have affected information at most, if not all, Wawa's locations between March 4 and Dec. 12, according to a release from Wawa officials on Thursday afternoon. The malware was contained Dec. 12, and is believed to no longer pose a risk to Wawa customers, the company said.

"I apologize deeply to all of you, our friends and neighbors, for this incident," Wawa CEO Chris Gheysens said in a statement Thursday. "You are my top priority and are critically important to all of the nearly 37,000 associates at Wawa. We take this special relationship with you and the protection of your information very seriously. I can assure you that throughout this process, everyone at Wawa has followed our longstanding values and has worked quickly and diligently to address this issue and inform our customers as quickly as possible."

Wawa believes the malware had been present on "most" of its store systems by April 22. Wawa said its information team identified the malware Dec. 10, and notified law enforcement and payment card companies. The company is currently working with an external forensics firm to conduct an investigation, as well as law enforcement, Gheysens said.

What to do to find out if your data was compromised

Wawa advised customers who may have had their info or data accessed to review their payment card account statements; register for identity protection services; and order a credit report:

"Customers whose information may have been involved should consider the following recommendations, all of which are good data security precautions in general:

Review Your Payment Card Account Statements. 

We encourage you to remain vigilant by reviewing your payment card account statements. If you believe there is an unauthorized charge on your payment card, please notify the relevant payment card company by calling the number on the back of the card.  Under federal law and card company rules, customers who notify their payment card company in a timely manner upon discovering fraudulent charges will not be responsible for those charges.

Register for Identity Protection Services. 

We have arranged with Experian to provide potentially impacted customers with one year of identity theft protection and credit monitoring at no charge to you.  Information about these services is available at www.wawa.com/alerts/data-security or call toll-free to 1-844-386-9559.

Order a Credit Report. 

If you enroll in the Experian service (at the phone number above) we are offering, you will have access to activity on your credit report.  In addition, if you are a U.S. resident, you are entitled under U.S. law to one free credit report annually from each of the three nationwide consumer reporting agencies.  To order your free credit report, visit www.annualcreditreport.com or call toll-free at 1-877-322-8228."


Follow Adam & PhillyVoice on Twitter: @adamwhermann | @thePhillyVoice
Like us on Facebook: PhillyVoice
Add Adam's RSS feed to your feed reader
Have a news tip? Let us know.