The malware accessed customer’s payment card information, including credit and debit card numbers, expiration dates, and cardholder names used at potentially all Wawa in-store cash registers and fuel dispensers.
Wawa announced Thursday it has discovered a data breach that affected customers’ payment information at potentially all Wawa locations from March 4 up until last week.
The regional convenience store and gas station chain said its information security team discovered the breach last Tuesday, and the breach was contained by Thursday, Dec. 12.
“Once we discovered this malware, we immediately took steps to contain it and launched a forensics investigation so that we could share meaningful information with our customers. I want to reassure anyone impacted they will not be responsible for fraudulent charges related to this incident. To all our friends and neighbors, I apologize deeply for this incident,” said Chris Gheysens, Wawa CEO, in a statement.
According to a letter from Gheysens posted on the Wawa website, the malware accessed customers’ payment card information, including credit and debit card numbers, expiration dates, and cardholder names used at potentially all Wawa in-store cash registers and fuel dispensers.
The malware accessed the information at different points in time from March 4 to Dec. 12. In his letter, Gheysens said most locations were affected by April 22, but some locations may not have been affected at all.
Information such as debit card PIN numbers, credit card security codes, other PIN numbers and driver’s license information used to verify age-restricted purchases were not affected.
“At this time, we are not aware of any unauthorized use of any payment card information as a result of this incident,” Gheysens said. ATM machines inside the stores were not affected.
Gheysens said the company is working with an external forensics firm as well as law enforcement to investigate the breach.
Wawa has set up a dedicated toll-free call center (844-386-9559) to answer customer questions and offer credit monitoring and identity theft protection without charge to anyone whose information may have been involved.