Wawa Data Breach: Malware Stole Customer Payment Card Info

wawa payment card breach

Wawa said that payment-processing system malware had potentially affected all 850 of its locations.

Popular convenience-store chain Wawa Inc. has disclosed a data breach potentially affecting all of its 850 locations. The breach stemmed from malware on its in-store payment processing systems that collected customers’ payment card data – for almost 10 months.

The popular chain of Wawa convenience stores and gas stations are located along the East Coast (mainly in Delaware, Florida, Maryland, New Jersey, Pennsylvania, Virginia and Washington, D.C.) of the United States. In a data-breach notice, the company said that the malware first infected in-store payment processing systems after March 4, and had infected most store systems by April 22.

“As soon as we discovered this malware on December 10, 2019, we took immediate steps to contain it, and by December 12, 2019, we had blocked and contained it,” according to the data breach notice.“We believe this malware no longer poses a risk to customers using payment cards at Wawa…we engaged a leading external forensics firm to conduct an investigation, which has allowed us to provide the information that we are now able to share in this letter. We are also working with law enforcement to support their ongoing criminal investigation.”

Affected data includes payment-card information — such as credit- and debit-card numbers, expiration dates and cardholder names — on payment cards used at Wawa in-store payment terminals and fuel dispensers between March 4 and Dec. 12. ATM machines were not impacted.

Wawa said that debit-card PIN numbers, credit-card CVV2 numbers (the three or four-digit security code printed on the card), other PIN numbers and driver’s license information (used to verify age-restricted purchases) were not affected by the malware.

The company said that it is offering credit monitoring and identity-theft protection without charge to anyone who may have been affected. In the meantime, it suggested that affected users register for identity-protection services, review their payment-card account statements and order a credit report.

With the holidays approaching and online shopping activity ramping up, malware targeting payment systems and point-of-sale (PoS) terminals is a top concern for retailers.

In the past, large brands like CatchApplebee’sCheckers and North Country Business Products have fallen victim to PoS malware. Meanwhile, new malicious PoS malware strains like PinkKite are popping up with new capabilities.

“Payment-gateway and point-of-sale malware has been in the news before — physical stores, online shopping, you name it — and malware has copied card data and shipped it off for nefarious characters to use,” Jason Kent, with Cequence Security, said in an email. “The unusual part of this story is that they [Wawa] weren’t notified of the breach externally. Does this mean the malware didn’t work? Did the perpetrator not sell the numbers for some reason? Is all of the effort to mitigate these types of attacks starting to work? Only time will tell, but it is pretty clear that this type of malware is still out there and vigilance in finding it and removing it is still needed.”

Threatpost has reached out to Wawa about how many customers were potentially impacted and how cybercriminals initially breached the network and will update this post with any new details.

Suggested articles


  • Greg on

    I spent a few months in Florida this year. After coming back to Europe in May, about $450 was stolen from my debit card by a single Walgreens payment in New York. Someone probably used a fake card. My bank is not even American, obviously they reimbursed the losses but the transaction itself was impossible to reverse. I was really wondering who pulled this off and how. Of course in Florida I shopped at Wawa several times. How is it possible to know whether my card number was involved in the leak?
  • Marc on

    Only Wawa can tell you (probably). However credit card transactions are insured and you should be able to claim it from your bank.
  • Branman on

    Greg - I have no real insight on your individual situation, BUT what they likely did was to sell your info and the person who bought it was in NY, or at least was able to place the charge in NY. There is usually a third party involved in the successful attacks. If you used your card at a gas pump, Wawa or anywhere else, that was where your card info was likely stolen. You would need to contact Wawa to find out if that was the source. They probably will tell you, but you would have to jump through a bunch of hoops to get to that point. They claim to have contacted everyone affected; I would be highly dubious of that claim, but I cannot substantiate that with any actual evidence. That sucks, sorry. 2 years ago, I had to have my credit card replaced 3 times in one year due to repeated fraudulent charges, and I live in Florida!!

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.