Wawa has called in the FBI to probe its nine-month-long data breach

Wawa said Friday that it has reported its large-scale data breach to the FBI and doesn’t know who launched the cyberattack that went undetected for nine months.

The convenience-store chain discovered malware last week that compromised cardholder names, numbers, and expiration dates used in-store and at gas pumps at “potentially all” of its more than 850 stores since March 4. A day after announcing the breach, Wawa said it can’t determine how many customers were affected because of “the type of data involved.”

“We deeply regret any inconvenience or concern this may cause,” Wawa spokesperson Lori Bruce said. “We are continuing to work with leading security experts to enhance the security of our systems.”

Wawa found malware on its payment processing servers on Dec. 10 and contained it by Dec. 12. Although some Wawa locations might have been unaffected, malware was on most store systems by April 22, CEO Chris Gheysens wrote customers Thursday.

Debit card pin numbers, credit card security codes, and driver’s license information were not affected by the malware, and the attack posed no risk to ATM machines, according to Wawa.

Wawa did not say how it was hacked. Typically, attackers access computer systems with “phishing” emails that dupe employees into handing over user credentials or clicking links that download malware, cybersecurity experts said.

“Hackers don’t attack computer code. Hackers attack user gullibility,” said Michael Levy, former chief of computer crimes at the U.S. Attorney’s Office for the Eastern District of Pennsylvania.

Once inside the system, criminals can use small computer code that is difficult to detect, allowing them to go unnoticed for months, unless the company is regularly having professionals check for malware. Hackers often aren’t discovered until they make a mistake or companies get a new security product that finds something unexpected, experts said.

“The malware’s ability to go undetected for the nine months from March to December, even as it spread [to other stores], also speaks to its sophistication,” said Marcus Fowler, director of strategic threat at Darktrace, a cyber artificial intelligence company with headquarters in San Francisco and Cambridge.

Wawa is hardly alone. Companies around the world have been hit with massive data breaches that have exposed the personal information of hundreds of millions of consumers in recent years. During the first nine months of this year, there have been 5,183 reported breaches exposing 7.9 billion records, according to Risk Based Security, a Virginia-based cybersecurity firm.

Wawa had over $12 billion in sales in 2018 and serves about 700 million customers annually, a spokesperson told The Inquirer in April.

Wawa said it will pay for a year of identity theft protection and credit monitoring by calling 1-844-386-9559 (activation code: 4H2H3T9H6). It also told customers to closely review account statements for unauthorized charges. Under federal law, customers who notify their card company shortly after discovering fraudulent charges won’t have to pay those charges.

“No one is going to lose money over that,” said Mark McCreary, a Philadelphia-based chief privacy officer for the Fox Rothschild firm. “It’s going to be a hassle.”

The 2017 data breach at Equifax was worse, McCreary said, because it exposed “extraordinarily rich data” such as Social Security numbers for nearly 150 million people, putting them at greater risk for identify theft. In July, Equifax agreed to pay up to $700 million to settle investigations into that breach.