Convenience store and gas station chain Wawa informed customers of a data breach that compromised payment card information at most of its 842 locations.
In an announcement released December 19, Wawa CEO Chris Gheysens
stated that the company’s information security team had discovered malware on their payment processing servers about a week earlier. The malware had been active since March 4, 2019, meaning that payment card information including credit and debit card numbers, expiration dates, and cardholder names over the last several months may have been compromised.
“This malware affected customer payment card information used at potentially all Wawa locations beginning at different points in time after March 4, 2019 and until it was contained,” stated Gheyser.
While Wawa specified that payment card security codes weren’t compromised in the breach, security experts have pointed out that they ultimately offer little protection in the face of a large-scale data breach. While a three or four digit code may be cumbersome for a human to guess, “[t]o a machine, it’s nothing,” said cybersecurity expert Matt Wilson to Philadelphia Magazine.
The exact nature of the malware used to breach Wawa’s payment card processing systems hasn’t been made available to the public, but it was apparently able to both overcome chip-based card protections and remain unnoticed for nine months on the company’s systems.
Wawa is offering a year of free identity protection and credit monitoring to affected customers.