WAWA, Pa. – A months-long data security breach of potentially every location of Wawa, the popular gas station and convenience store chain, has affected credit card information for customers, officials announced Dec. 19.
Wawa has more than 40 locations in Delaware and potentially all of the company’s 850 locations could have been affected, officials said. The chain has a huge presence in the Mid-Atlantic region as well as Florida.
The information includes debit and credit card numbers, expiration dates and cardholder names, but does not include PIN numbers or CVV2 numbers, on cards used in store payments from March 4 to Dec. 12, according to an official announcement. ATM cash machines were not reportedly affected by the breach.
“At this time, Wawa is not aware of any unauthorized use of any payment card information as a result of this incident,” officials cautioned.
Wawa’s information security team discovered malware on company payment processing servers on Dec. 10 and contained it after two days, officials reported. Upon discovery, Wawa immediately engaged an external forensics firm and notified law enforcement.
Forensic investigators determined that the malware began running at different points in time after March 4, according to officials. The company “believes it no longer poses a risk to customers.”
“At Wawa, the people who come through our doors are not just customers, they are our friends and neighbors, and nothing is more important than honoring and protecting their trust,” said Chris Gheysens, Wawa CEO, in a prepared statement. “Once we discovered this malware, we immediately took steps to contain it and launched a forensics investigation so that we could share meaningful information with our customers. I want to reassure anyone impacted they will not be responsible for fraudulent charges related to this incident. To all our friends and neighbors, I apologize deeply for this incident.”
Wawa is offering free identity protection and credit monitoring services to customers. Information about how to enroll can be found on a dedicated website: www.wawa.com/alerts/data-security. It has also established resources to answer customers’ questions, including a dedicated call center that can be reached at 1-844-386-9559.
Data security breaches have become a startling problem for companies everywhere, but especially those who may hold sensitive financial or personal information.
In July, Capitol One announced that more than 105 million of its banking customers may have been compromised in a breach by a cloud service worker. In 2018, Marriott International reported that data on approximately 500 million customers had been stolen by hackers. In 2017, the credit bureau Equifax reported that more than 145 million consumer accounts had been breached.
The largest reported breach ever hit Yahoo in 2014, when some 3 billion accounts at the internet company were breached.
As a privately-owned company, Wawa will not suffer the same consequences in stock valuation as other victims of recent data breaches. According to Forbes, Wawa is the 25th largest private American company, valued at an estimated $12.1 billion.
By Jacob Owens
jowens@delawarebusinesstimes.com
