Wawa is notifying potentially impacted individuals about a data security incident that affected customer payment card information used at potentially all Wawa locations (more than 800 stores) between March 2019-December 2019.

Wawa, Inc. is a chain of convenience and fuel retail stores located in Pennsylvania, New Jersey, Delaware, Maryland, Virginia, Washington, DC and Florida. Wawa’s information security team discovered malware on its payment processing servers on December 10, 2019, and contained it by December 12, 2019. Based on the investigation to date, Wawa says the information is limited to payment card information, including debit and credit card numbers, expiration dates and cardholder names, but does not include PIN numbers or CVV2 numbers. The ATM cash machines in Wawa stores were not impacted by this incident, says Wawa.

“At Wawa, the people who come through our doors are not just customers, they are our friends and neighbors, and nothing is more important than honoring and protecting their trust,” said Chris Gheysens, Wawa CEO. “Once we discovered this malware, we immediately took steps to contain it and launched a forensics investigation so that we could share meaningful information with our customers. I want to reassure anyone impacted they will not be responsible for fraudulent charges related to this incident. To all our friends and neighbors, I apologize deeply for this incident.”

Wawa is offering identity protection and credit monitoring services at no charge to their customers.

Sam Rubin, Vice President at Crypsis Group, a McLean, Virginia-based incident response, risk management and digital forensics firm, says, “These sorts of large-scale credit card incidents illustrate just how sophisticated threat actors have become. Wawa is another victim in the ongoing battle against the multi-billion-dollar eCrime industry. The skill and determination brought to bear in this type of attack is what makes them so hard to prevent. The attackers were not only able to penetrate Wawa's networks, they were also able to move laterally across hundreds of stores to identify payment card systems, obtain access credentials and exfiltrate data. They did all of this while staying undetected for many months. Wawa took many of the right steps with this incident, including moving rapidly toward containment, beginning forensic investigation, notifying law enforcement and proactively communicating with their customer base. Often, we see the communications element missing in these cases, which can lead to further damage to brand and reputation."

Rubin says that these sorts of malware incidents are "becoming increasingly common and difficult to protect against, with expanding attack surfaces, enterprise complexity, and growing malware sophistication. What is becoming make or break for enterprises is ensuring they have appropriate incident response plans, following those plans, and, as an element within them, being very proactive with the public regarding communications.”

Alex Guirakhoo, Strategy and Research Analyst at Digital Shadows, says, “The malware was active on Wawa's payment systems for nine months before being identified and removed. Wawa has yet to confirm how many of its customers were affected, and we're unlikely to know the full extent of the data breach until investigations conclude. Given that Wawa operates over 800 stores in the US, the attackers were likely able to harvest a significant amount of financial data. The malware collected payment card numbers, expiration dates, and cardholder names, but PINs, CVV2, and driver's license information were reportedly not affected."

Guirakhoo notes that on cybercriminal marketplaces and automated vending carts (AVCs), the inclusion of PINs and CVV2 can increase the value of financial information. "However, card numbers, expiration dates, and cardholder names are still highly valued and widely traded by cybercriminals," he says. "These can be used to facilitate a range of fraudulent activities. It's not uncommon for some marketplaces to have millions of different financial records for sale that can be purchased for just dollars.”