Wawa is investigating a data breach that exposed customers’ credit and debit card numbers used at potentially all of its locations, including the gas pumps, the company’s CEO said Thursday.
The convenience-store chain discovered malware on Wawa’s payment processing servers last week that had affected customer payment card information since after March 4, CEO Chris Gheysens wrote in an open letter to customers. The malware was discovered Dec. 10 and contained by Dec. 12.
The malware exposed credit and debit card numbers, expiration dates, and cardholder names on payment cards used in-store and at gas pumps at potentially all locations, Gheysens said. No other personal information was accessed by the malware, and it never posed a risk to its ATM cash machines, he said.
Gheysens said that customers “will not be responsible for any fraudulent charges on your payment cards related to this incident.”
Although some Wawa locations might not have been affected, the malware was present on most store systems by April 22, he said.
Wawa has more than 850 stores in six states and the District of Columbia, including in Pennsylvania, New Jersey, and Delaware. The company, which had more than a $12 billion in sales in 2018, serves about 700 million customers annually, a spokesperson told The Inquirer in April.
A company spokesperson said Wawa doesn’t know how many customers were affected, and is not aware of any unauthorized use of payment card information as a result of the incident.
“We also immediately initiated an investigation, notified law enforcement and payment card companies, and engaged a leading external forensics firm to support our review,” Wawa said in a statement. “While our investigation remains ongoing, we wanted to notify our customers as soon as possible, but regret that this comes right before the holiday season.”
Wawa is hardly alone. Companies around the world have been hit with massive data breaches that have exposed the personal information of hundreds of millions of consumers. In July, Equifax agreed to pay up to $700 million to settle investigations into a 2017 data breach that exposed Social Security numbers and other sensitive information for nearly 150 million people. Up to 500 million guests at Starwood hotels had their personal information exposed, Marriott International announced last year.
Wawa customers can call 1-844-386-9559 to ask questions and get free credit monitoring and identity-theft protection if their personal information was affected. Consumers should also review payment card account statements for any unauthorized charges.