Wawa convenience store chain disclosed a payment card breach that may have exposed debit and credit card data from thousands of customers.

Wawa convenience store chain disclosed a payment card breach, its security team discovered a PoS malware on its payment processing systems.

Wawa operates more than 860 convenience retail stores, this breach is potentially one of the biggest card incidents in 2019. The malware affected in-store payments and payments at fuel dispensers, anyway ATM machines were infected.

The malicious code infected the payment systems on December 10 and it was removed on December 12, the incident may have exposed debit and credit card data from thousands of customers.

“Our information security team discovered malware on Wawa payment processing servers on December 10, 2019, and contained it by December 12, 2019,” Wawa CEO Chris Gheysens wrote in a public letter. “This malware affected customer payment card information used at potentially all Wawa locations beginning at different points in time after March 4, 2019 and until it was contained.”

The PoS malware was planted on Match 4, it began running on in-store payment processing systems at potentially all Wawa locations. The malicious code was designed to collect card numbers, cardholder names, and other data,

“Based on our investigation to date, we understand that at different points in time after March 4, 2019, malware began running on in-store payment processing systems at potentially all Wawa locations,” reads the data breach notice issued by the company.

“Although the dates may vary and some Wawa locations may not have been affected at all, this malware was present on most store systems by approximately April 22, 2019.”

The company is not aware of any unauthorized use of credit cards as a result of the payment card breach.

At the time it is not clear how many customers were affected by the incident.

The company is notifying customers and offering free credit card monitoring and identity theft prevention services to impacted customers. The company has hired a forensics firm to investigate the incident, it also reported the card breach to the authorities that are currently investigating into the case.

“As soon as we discovered this malware on December 10, 2019, we took immediate steps to contain it, and by December 12, 2019, we had blocked and contained it. We believe this malware no longer poses a risk to customers using payment cards at Wawa.” concludes the note. “As indicated above, we engaged a leading external forensics firm to conduct an investigation, which has allowed us to provide the information that we are now able to share in this letter. We are also working with law enforcement to support their ongoing criminal investigation. We continue to take steps to enhance the security of our systems.”

Pierluigi Paganini

(SecurityAffairs – Wawa, data breach)