Popular convenience-store chain Wawa Inc. has disclosed a data breach potentially affecting all of its 850 locations. The breach stemmed from malware on its in-store payment processing systems that collected customers’ payment card data – for almost 10 months.
The popular chain of Wawa convenience stores and gas stations are located along the East Coast (mainly in Delaware, Florida, Maryland, New Jersey, Pennsylvania, Virginia and Washington, D.C.) of the United States. In a data-breach notice, the company said that the malware first infected in-store payment processing systems after March 4, and had infected most store systems by April 22.
“As soon as we discovered this malware on December 10, 2019, we took immediate steps to contain it, and by December 12, 2019, we had blocked and contained it,” according to the data breach notice.“We believe this malware no longer poses a risk to customers using payment cards at Wawa…we engaged a leading external forensics firm to conduct an investigation, which has allowed us to provide the information that we are now able to share in this letter. We are also working with law enforcement to support their ongoing criminal investigation.”
Affected data includes payment-card information — such as credit- and debit-card numbers, expiration dates and cardholder names — on payment cards used at Wawa in-store payment terminals and fuel dispensers between March 4 and Dec. 12. ATM machines were not impacted.
Wawa said that debit-card PIN numbers, credit-card CVV2 numbers (the three or four-digit security code printed on the card), other PIN numbers and driver’s license information (used to verify age-restricted purchases) were not affected by the malware.
The company said that it is offering credit monitoring and identity-theft protection without charge to anyone who may have been affected. In the meantime, it suggested that affected users register for identity-protection services, review their payment-card account statements and order a credit report.
With the holidays approaching and online shopping activity ramping up, malware targeting payment systems and point-of-sale (PoS) terminals is a top concern for retailers.
In the past, large brands like Catch, Applebee’s, Checkers and North Country Business Products have fallen victim to PoS malware. Meanwhile, new malicious PoS malware strains like PinkKite are popping up with new capabilities.
“Payment-gateway and point-of-sale malware has been in the news before — physical stores, online shopping, you name it — and malware has copied card data and shipped it off for nefarious characters to use,” Jason Kent, with Cequence Security, said in an email. “The unusual part of this story is that they [Wawa] weren’t notified of the breach externally. Does this mean the malware didn’t work? Did the perpetrator not sell the numbers for some reason? Is all of the effort to mitigate these types of attacks starting to work? Only time will tell, but it is pretty clear that this type of malware is still out there and vigilance in finding it and removing it is still needed.”
Threatpost has reached out to Wawa about how many customers were potentially impacted and how cybercriminals initially breached the network and will update this post with any new details.