Malware was discovered in Wawa’s payment processing servers, and it’s believed that all convenience store locations were affected. The stolen information includes names and credit card numbers, among other data.
Wawa CEO Chris Gheysens said that all of the company’s 842 stores in the United States had malware installed in the point-of-sale systems for almost 10 months. In that period, the hackers managed to steal credit card and debit card numbers, expiration dates and names.
The company determined that the incident started on March 4 and only ended on December 14, 2019. Interestingly, even if all of the stores were infected by the malware, not all of them accessed had data leaks.
“As soon as we discovered this malware on December 10, 2019, we took immediate steps to contain it, and by December 12, 2019, we had blocked and contained it,” says Gheysens. “We believe this malware no longer poses a risk to customers using payment cards at Wawa. As indicated above, we engaged a leading external forensics firm to conduct an investigation, which has allowed us to provide the information that we are now able to share in this letter.”
Recently, Visa warned merchants about point-of-sale (POS) system attacks carried out by cybercrime groups against North American fuel dispenser merchants. And while Visa didn’t name the merchants at that time, it’s clear that it’s a much bigger problem than anticipated.
The recent POS attacks are attributed to an Advanced Persistent Threat (APT) group that has expanded its operations to eCommerce merchants. Visa named Fin8 as one group that could have pulled this off, but there’s no indication, at least not for now, that the Wawa incident is related to Visa’s advisory.
If you’ve paid with a credit card at a Wawa station, keep a close eye on your card statement and report any suspicious transactions immediately.