Hackers Stole Payment card data from more than 700 Wawa outlets


Did you stop at any convenience store in Wawa and use your payment card in the last nine months to buy gas or snacks?

If so, cyber criminals may have compromised the credit and debit card data.

Wawa, the petrol and convenience store retailer headquartered in Pennsylvania, has announced an instance of data breach that may have compromised the payment card details of thousands of customers who have been using their cards since March 2019 in about one of its 850 locations.

What has happened?

According to a press release released on the website of the organization, on March 4th, attackers were able to install ransomware on their point-of-sale servers used to process payments for consumers.

The ransomware had already compromised in-store payment processing networks at “possibly all Wawa stores” by the time it was detected by the Wawa Information Security Group on December 10th. This suggests criminals were potentially collecting payment card cyber from Wawa consumers until the malware was completely removed by their administrators on December 12th, 2019.

The firm also said that by about April 22, 2019, the ransomware was found on the point-of-sale networks of most stores, although some Wawa outlets may not have been impacted.

What was compromised? The malware stole credit and debit card content, including card numbers, expiry dates, and consumer names on the payment cards used on possibly all of its in-store payment terminals and gas pumps from 4 March 2019 to 12 December 2019.

What wasn’t compromised? According to the firm, this ransomware did not affect debit card PINs, CVV2 credit card numbers, other PINs, driver’s license details used to validate age-restricted transactions and other personal information.

Wawa has made it clear that the PoS ransomware never posed a risk to its ATM cash machines, and the organization was unaware of any improper use of any payment card details as a result of this incident at the time of notification of data breach.

When did Wawa cope with the violation of the payment card? Within two days of its detection, the information security department of the organization fully contained the ransomware and promptly launched an inquiry by hiring a leading international forensics firm to investigate the incident and check the severity of the violation.

Wawa has contacted law enforcement in favor of their ongoing criminal investigation and reported the event to payment card providers.

Web Application Firewall Wawa, which has over 850 grocery retail stores in Pennsylvania, New Jersey, Delaware, Maryland, Virginia, Florida, and Washington, DC, also provides to anyone whose details may have been stolen free identity theft security and credit monitoring at no charge.

“I apologize deeply to all of you, our friends and neighbors, for this incident,” said Wawa President and CEO Chris Gheysens. “You are my top priority and are critically important to all of the nearly 37,000 associates at Wawa. We take this special relationship with you and the protection of your information very seriously.”

What should the affected customers do now? Customers who have purchased anything since March of this year from any of the Wawa convenience stores are urged to carefully monitor their payment card statements.

Should you notice any unauthorized charges, contact the payment card issuer promptly and consider placing a fraud alert or security freeze on your Equifax, Experian, and TransUnion credit file.

You should also suggest disabling the impacted payment card and submitting to your respective financial institution for a new one, if necessary.

Mark Funk
Mark Funk is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.