Breach, Content

Wawa Data Breach: Security Incident Details and Updates

Wawa, the convenience store and gas chain with some 850 locations operating in six eastern states and Washington, D.C., has been hit by a massive, months-long data breach that includes stolen debit and credit card numbers.

The venerable Wawa, Pennsylvania-based company’s internal security staff found malware on its in-store payment processing servers on December 10, 2019 and contained the infection two days later, officials said. But the malicious code had been rummaging through its network since March 4, 2019 potentially contaminating the company’s entire roster of outlets. By April 22, malware was present on most store systems.

Wawa said it has engaged a “leading external forensics firm” but it did not identify the security provider nor the nature of the company’s immediate response to arrest the malware's spread.

While the heist included banking cards, expiration dates and cardholder names, it did not involve personal identification numbers, CVV2 numbers, and ATMs located in Wawa’s stores. The company said it is notifying customers who may be affected but it did not say how many were involved. There’s the potential, of course, for every customer entering one of its stores to be affected. At this point, Wawa said it is unaware of any illicit use of the pilfered cards.

Still, the nature of the burgled items makes it a foregone conclusion that they will be peddled on the dark web for as little as $5 per card. According to Internet of Things specialist Sixgill’s Underground Financial Fraud report, some 23 million bank cards had been offered for sale worldwide in the first half of this year, two-thirds of which came from the United States. Nonetheless, any cyber payment card burglary likely results in no financial loss to customers, inasmuch as swapping out missing or stolen cards for a new one is easy to do. However, it’s the lawsuits that will undoubtedly follow charging Wawa inadequately secured customer data, especially given that it took the company 10 months to uncover the breach, that will likely plague the company.

Wawa chief executive Chris Gheysens apologized for the breach in an open letter to the company’s customers. “I apologize deeply to all of you, our friends and neighbors, for this incident,” he wrote. “You are my top priority and are critically important to all of the nearly 37,000 associates at Wawa. We take this special relationship with you and the protection of your information very seriously. I can assure you that throughout this process, everyone at Wawa has followed our longstanding values and has worked quickly and diligently to address this issue and inform our customers as quickly as possible.”

Wawa said it has set up a dedicated toll-free call center (1-844-386-9559) to answer customer questions and offer credit monitoring and identity theft protection without charge to anyone whose information may have been involved. It has also arranged with credit rater Experian to provide potentially impacted customers with one year of identity theft protection and credit monitoring. The company is also urging its customers to repeatedly review their payment card account statements and order a credit report.

“Along with the nearly 37,000 Wawa associates in all of our communities, we remain dedicated to serving you every day and being worthy of your continued trust,” Gheysens said.

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.