Convenience store chain Wawa announced Thursday it has suffered a massive data breach that has affected “potentially all” of its store locations and compromised the debit and credit card information of thousands of customers.
In an open letter to customers, Wawa CEO Chris Gheysens disclosed the company’s information security team discovered malware on Wawa payment processing servers on Dec. 10 and that the malware was blocked and contained by Dec. 12. “This malware affected customer payment-card information used at potentially all Wawa locations beginning at different points in time after March 4, 2019 and until it was contained,” Gheysens said.
Wawa has approximately 850 stores across the East Coast of the United States.
The compromised payment card information includes credit and debit card numbers, expiration dates, and cardholder names on payment cards used at Wawa in-store payment terminals and fuel dispensers. “Although the dates may vary, and some Wawa locations may not have been affected at all, this malware was present on most store systems by approximately April 22, 2019,” the letter stated.
Following discovery of the malware, Gheysens said the company “immediately initiated an investigation, notified law enforcement and payment-card companies, and engaged a leading external forensics firm to support our response efforts.”
“At this time, we believe this malware no longer poses a risk to Wawa customers using payment cards at Wawa, and this malware never posed a risk to our ATM cash machines,” Gheysens said.