Wawa is notifying potentially impacted individuals about a data security incident that affected customer payment card information used at potentially all Wawa locations from last March until earlier this month, the company said in a statement.
Based on the investigation to date, the information is limited to payment card information, including debit and credit card numbers, expiration dates and cardholder names, but does not include PIN numbers or CVV2 numbers. The ATM cash machines in Wawa stores were not impacted by this incident. At this time, Wawa is not aware of any unauthorized use of any payment card information as a result of this incident, the company said.
The Delaware County-based convenience store icon said its information security team discovered malware on Wawa payment processing servers on Dec. 10, and contained it by Dec. 12.
After discovering this malware, Wawa immediately engaged a leading external forensics firm and notified law enforcement.
Based on Wawa’s forensic investigation, Wawa now understands that this malware began running at different points in time after March 4, 2019.
Wawa took immediate steps after discovering this malware and believes it no longer poses a risk to customers, the company stated.
“At Wawa, the people who come through our doors are not just customers, they are our friends and neighbors, and nothing is more important than honoring and protecting their trust,” said Chris Gheysens, Wawa CEO. “Once we discovered this malware, we immediately took steps to contain it and launched a forensics investigation so that we could share meaningful information with our customers. I want to reassure anyone impacted they will not be responsible for fraudulent charges related to this incident. To all our friends and neighbors, I apologize deeply for this incident.”
Wawa is supporting its customers by offering identity protection and credit monitoring services at no charge to them. Information about how to enroll can be found on the Wawa website below.
Wawa has also established resources to answer customers’ questions, including a dedicated call center that can be reached at 1-844-386-9559, Monday - Friday, between 9 a.m. and 9 p.m. Eastern Time or Saturday and Sunday between 11 a.m. and 8 p.m., excluding holidays. Wawa has also posted information on its website, www.wawa.com, including a letter from Wawa’s CEO and more details for impacted customers.
A detailed notice and open letter to customers from Wawa’s CEO notifying potentially affected individuals about the incident is available at www.wawa.com/alerts/data-security.