Wawa Reveals Massive Data Breach Potentially Impacted All Locations

PHILADELPHIA (CBS) — A massive data breach at potentially every Wawa location went unnoticed for months. Names, card numbers and expiration dates were likely available for hackers from March until last week, Wawa announced on Thursday.

We hear about data breaches happening at major corporations. Some we know and love, but Wawa feels sacred. It’s such a staple in this area. An attack like this means that most everyone you know should be double-checking their card statements.

“Wawa is just so innovative,” one customer said.

“St’s so convenient,” another customer said. “You can get gas. You can get a hoagie. It’s melted, it’s delicious.”

And the appreciation is mutual. A statement from Wawa CEO Chris Gheysens began with a heartfelt ode to customers.

“At Wawa, the people who come through our doors every day are not just customers, you are our friends and neighbors, and nothing is more important than honoring and protecting your trust,” Gheysens said.

This came after Wawa’s own trust and data was breached.

The company has informed customers that last week, their information security team discovered malware that had been present for months compromising customer payment information at potentially all of its nearly 850 stores.

“It is a concern. I think it would be a concern for a lot of people because a lot of people don’t carry cash so they pay debit and credit card,” a customer said.

According to Wawa, the malware began running from March 4, 2019 and was detected on Dec. 12. It’s believed that it was contained by Dec. 12.

That means that customers who used their credit or debit cards between March 4 and Dec. 12 in-store and at fuel dispensers are vulnerable.

Most locations were impacted as of April 22, 2019, but Wawa says some locations may not have been affected at all.

This malware affected card numbers, expiration dates and cardholder names.

ATM machines, PIN numbers and security codes were not compromised in the attack.

According to Wawa, they believe the malware no longer poses a risk to card-paying customers.

“Today, I am very sorry to share with you that Wawa has experienced a data security incident. Our information security team discovered malware on Wawa payment processing servers on December 10, 2019, and contained it by December 12, 2019,” Gheysens said. “I want to reassure you that you will not be responsible for any fraudulent charges on your payment cards related to this incident.”

“I go to Wawa about twice a week,” a customer said.

Everyone CBS3 spoke with said they plan to monitor their card statements, but that they still got to have their Wawa.

“It is worrisome, especially if you’ve bought things and it’s been on a credit card purchase,” one customer said.

“I feel like at this point, everyone has been breached though,” another customer said.

Wawa is offering customers one year of free identity theft protection and credit monitoring. Concerned customers can call 1-844-386-9559 about the services.

You can read Gheysens’s full letter here.