A data security incident may have affected Wawa’s 870-plus convenience stores.
The company is notifying potentially impacted individuals about a data security incident that affected customer payment card information used at its stores between March 4 and Dec. 12, 2019. Based on its investigation to date, Wawa said the information is limited to payment card information, including debit and credit card numbers, expiration dates and cardholder names, but does not include PIN numbers or CVV2 security numbers. ATM machines in Wawa stores were not impacted by this incident.
Wawa also said it is not currently aware of any unauthorized use of any payment card information as a result of this incident. The retailer’s information security team discovered malware on its payment processing servers on Dec. 10, 2019, and contained it by Dec. 12. After discovering the malware, Wawa said it immediately engaged an external forensics firm and notified law enforcement, and does not believe it still poses a threat to customers.
"At Wawa, the people who come through our doors are not just customers, they are our friends and neighbors, and nothing is more important than honoring and protecting their trust," said Chris Gheysens, CEO, Wawa. "Once we discovered this malware, we immediately took steps to contain it and launched a forensics investigation so that we could share meaningful information with our customers. I want to reassure anyone impacted they will not be responsible for fraudulent charges related to this incident. To all our friends and neighbors, I apologize deeply for this incident."
Wawa is offering identity protection and credit monitoring services to customers at no charge. The retailer has also posted information on its website, including a letter from Wawa's CEO and more details for impacted customers.
Wawa currently operates more than 870 stores throughout Pennsylvania, New Jersey, Delaware, Maryland, Virginia, Florida, and Washington, D.C.