WAWA, Pa. ““ A cybersecurity firm announced Tuesday, Jan. 28, that it detected criminal attempts to sell some customer payment card information involved in the 2019 Wawa data breach.
The popular Pennsylvania-based gas station and convenience store chain first reported its breach on Dec. 19, when it said that a months-long data security breach of potentially every location affected credit card information for customers.
Wawa has more than 40 locations in Delaware and 850 nationwide. The chain has a huge presence in the Mid-Atlantic region as well as Florida.
The breached information includes debit and credit card numbers, expiration dates and cardholder names, but does not include PIN numbers or CVV2 numbers, on cards used in store payments from March 4 to Dec. 12, according to an official announcement. ATM cash machines were not reportedly affected by the breach.
Gemini Advisory, a New York-based cybersecurity firm, reported that it was monitoring release of the affected information in a data dump nicknamed “BIGBADABOOM-III” on a dark web marketplace called Joker’s Stash, where breached info is put up for sale. The firm said that of the files it had reviewed, Wawa locations in Florida followed by Pennsylvania were the most affected, although compromised locations were identified in all six states in which Wawa operates.
Gemini Advisory noted that major breaches like Wawa’s often have low demand in the dark web, in part because the public scrutiny of them lead many of the affected customers to change their info before the stolen accounts could be utilized.
Regardless, Wawa said Jan. 28 that it was taking the necessary precautions to limit the impact of the available info.
“We have alerted our payment card processor, payment card brands, and card issuers to heighten fraud monitoring activities to help further protect any customer information. We continue to work closely with federal law enforcement in connection with their ongoing investigation to determine the scope of the disclosure of Wawa-specific customer payment card data,” the company wrote in a Jan. 28 press release, encouraging customers to ” remain vigilant in reviewing charges.”
The company reminded customers that timely reporting of fraudulent charges will lead to them being waived under federal law and card company rules. It also said that it would work to reimburse any affected customer who isn’t reimbursed for fraudulent charges.
“At Wawa, nothing is more important than honoring and protecting our customers’ trust. Wawa continues to take steps to enhance the security of our systems,” the company said.
Wawa’s information security team discovered malware on company payment processing servers on Dec. 10 and contained it after two days, officials reported in December. Upon discovery, Wawa immediately engaged an external forensics firm and notified law enforcement.
Forensic investigators determined that the malware began running at different points in time after March 4, according to officials. The company “believes it no longer poses a risk to customers.”
Wawa is offering free identity protection and credit monitoring services to customers. Information about how to enroll can be found on a dedicated website: www.wawa.com/alerts/data-security. It has also established resources to answer customers’ questions, including a dedicated call center that can be reached at 1-844-386-9559.
Data security breaches have become a startling problem for companies everywhere, but especially those who may hold sensitive financial or personal information.
In July, Capitol One announced that more than 105 million of its banking customers may have been compromised in a breach by a cloud service worker. In 2018, Marriott International reported that data on approximately 500 million customers had been stolen by hackers. In 2017, the credit bureau Equifax reported that more than 145 million consumer accounts had been breached.
The largest reported breach ever hit Yahoo in 2014, when some 3 billion accounts at the internet company were breached.
As a privately-owned company, Wawa will not suffer the same consequences in stock valuation as other victims of recent data breaches. According to Forbes, Wawa is the 25th largest private American company, valued at an estimated $12.1 billion.
By Jacob Owens
jowens@delawarebusinesstimes.com
