Malware was discovered in Wawa’s payment processing
servers, and it’s believed that all convenience store locations were affected. The
stolen information includes names and credit card numbers, among other data.
Wawa CEO Chris Gheysens said that all of the company’s 842
stores in the United States had malware installed in the point-of-sale systems
for almost 10 months. In that period, the hackers managed to steal credit card
and debit card numbers, expiration dates and names.
The company determined that the incident started on March
4 and only ended on December 14, 2019. Interestingly, even if all of the stores
were infected by the malware, not all of them accessed had data leaks.
“As soon as we discovered this malware on December 10,
2019, we took immediate steps to contain it, and by December 12, 2019, we had
blocked and contained it,” says
Gheysens. “We believe this malware no longer poses a risk to customers using
payment cards at Wawa. As indicated above, we engaged a leading external
forensics firm to conduct an investigation, which has allowed us to provide the
information that we are now able to share in this letter.”
Recently, Visa warned merchants about point-of-sale (POS) system attacks carried out by cybercrime groups against North American fuel dispenser merchants. And while Visa didn’t name the merchants at that time, it’s clear that it’s a much bigger problem than anticipated.
The recent POS attacks are attributed to an Advanced
Persistent Threat (APT) group that has expanded its operations to eCommerce
merchants. Visa named Fin8 as one group that could have pulled this off, but
there’s no indication, at least not for now, that the Wawa incident is related to
Visa’s advisory.
If you’ve paid with a credit card at a Wawa station, keep
a close eye on your card statement and report any suspicious transactions
immediately.