If you used your credit card or debit card to buy gas or pay for snacks at any Wawa convenience store, anytime in the past nine months, your card information may have been skimmed by malware. The Philadelphia-based gas and convenience store chain says it discovered the malware on its payment processing servers on December 10th, but it took quite a while for the company to notice — the malware may have affected all 700 of its locations across five states since March.

Credit card and debit card numbers, expiration dates and customers’ names on the cards used at its in-store registers and gas pumps were among the data affected, the company says. The company’s announcement and FAQ doesn’t begin to suggest how the malware got there or who might have been trying to get customers’ payment information, but the company says it has a forensics firm investigating the breach and is working with authorities on a criminal investigation into the matter.

According to Wawa president and CEO Chris Gheysens, the malware was dealt with on December 12th, so it’s safe to swipe or insert your cards now, and it’s possible crooks don’t have all the information they need: PIN and CVV2 numbers weren’t affected, the company claims, nor were any in-store ATM machines. It’s not clear how many customers may have been affected, but Wawa has stores in Delaware, Pennsylvania, New Jersey, Maryland and Virginia.

Wawa says customers shouldn’t be responsible for any unauthorized charges at its stores, and as has become par for the course in major card data breaches, it will offer free credit monitoring and identity theft protection to customers whose information may have been compromised. Anyone with questions can call its dedicated hotline at 1-844-386-9559.