Wawa has reported malware that was capable of capturing credit and debit card numbers. The malware had been in place during much of the year.
Wawa, which has about 800 stores, does not believe that cybercriminals captured pin numbers or three or four-digit numbers on credit cards. That information could be used to access cash or credit. An investigation is continuing.
In a letter to customers posted on the company’s website, CEO Chris Ghreysens said the company’s security team discovered malware on Wawa payment processing servers on December 10 and removed the code on Dec. 12.
The Wawa CEO said the “malware affected customer payment card information used at potentially all Wawa locations beginning at different points in time after March 4, 2019, and until it was contained.”
The malware did not affect automatic teller machines at its stores.
Wawa has thousands of point of sale devices on gas pumps and checkout counters at its stores in the Mid-Atlantic and Florida.
“I apologize deeply to all of you, our friends and neighbors, for this incident. You are my top priority and are critically important to all of the nearly 37,000 associates at Wawa. We take this special relationship with you and the protection of your information very seriously. I can assure you that throughout this process, everyone at Wawa has followed our longstanding values and has worked quickly and diligently to address this issue and inform our customers as quickly as possible,” Ghreysens wrote.
Wawa notified law enforcement and payment card companies and hired an external forensics firm to support its efforts.
“At this time, we are not aware of any unauthorized use of any payment card information as a result of this incident,” Ghreysens wrote.
The ATM cash machines at stores were not involved in this incident.
The letter went on to suggest steps customers can take to determine if any fraudulent activity took place.
