Wawa, a ubiquitous presence in Ocean County, warned that it discovered a data breach that may have exposed credit and debit card information for customers who used those methods to pay over a nine-month period.
Based on the investigation to date, the information is limited to payment card information, including debit and credit card numbers, expiration dates and cardholder names, but does not include PIN numbers or CVV2 numbers, a statement from the company said. The ATM cash machines in Wawa stores were not impacted by the incident, and Wawa said it is not aware of any unauthorized use of any payment card information as a result of the breach.
Wawa’s information security team discovered malware on Wawa payment processing servers on Dec. 10, 2019, and contained it by Dec. 12, 2019. After discovering the malware, Wawa “immediately engaged a leading external forensics firm and notified law enforcement,” the company said. Based on Wawa’s forensic investigation, it was determined that the malware began running at different points in time after March 4, 2019 until containment last week.
“Wawa took immediate steps after discovering this malware and believes it no longer poses a risk to customers,” the company said.
“At Wawa, the people who come through our doors are not just customers, they are our friends and neighbors, and nothing is more important than honoring and protecting their trust,” said Chris Gheysens, Wawa CEO. “Once we discovered this malware, we immediately took steps to contain it and launched a forensics investigation so that we could share meaningful information with our customers. I want to reassure anyone impacted they will not be responsible for fraudulent charges related to this incident. To all our friends and neighbors, I apologize deeply for this incident.”
Wawa is offering identity protection and credit monitoring services at no charge to customers who may have been affected. Information about how to enroll can be found on the Wawa website linked below. Wawa has also established resources to answer customers’ questions, including a dedicated call center that can be reached at 1-844-386-9559, Monday through Friday, between 9 a.m. and 9 p.m. Eastern time or Saturday and Sunday between 11 a.m. and 8 p.m., excluding holidays. Wawa has also posted information on its website, www.wawa.com, including a letter from Wawa’s CEO and more details for impacted customers.
Wawa’s information security site, with more details, can be found at this link.