One of America’s largest convenience store chains announced Thursday that it suffered a major data breach.
The breach affected customers of Philadelphia-based Wawa, which has locations along the East Coast, according to WPVI.
The breach consisted of malware that could reveal card numbers, expiration dates and names of any customer who used a debit or credit card at any of Wawa’s more than 850 stores since March 4, CEO Chris Gheysens said in a letter to customers posted on the company’s website.
“This malware affected customer payment card information used at potentially all Wawa locations beginning at different points in time after March 4, 2019 and until it was contained,” Gheysens wrote.
The letter said the breach was discovered on Dec. 10 and contained by Dec. 12.
Gheysens said the chain was unaware that any unauthorized card use has taken place as a result of the incident.
Gheysens said in his letter that ATM machines in the company’s stores were not compromised.
“No other personal information was accessed by this malware. Debit card PIN numbers, credit card CVV2 numbers (the three or four-digit security code printed on the card), other PIN numbers, and driver’s license information used to verify age-restricted purchases were not affected by this malware,” he said.
“Within the first nine months of 2019 there have been 5,183 breaches reported with 7.9 billion records exposed, and we are on track to reach 8.5 billion. Compared to the mid-year of 2018, the total number of breaches was up 33.3% and the total number of records exposed more than doubled, up 112%,” the information security firm wrote on its website.
“As we look over the experience of 2019 what stands out is that we are often our own worst enemy,” Inga Goddijn, executive vice president at Risk Based Security, said.
“Whether it’s a phishing campaign that ultimately provides malicious actors with a toehold into systems or misconfigured databases and services that leave millions of sensitive records freely available on the internet, it seems to be human nature coupled with weak controls that contributed heavily to the number and severity of breaches we’ve seen this year,” he said.
Wawa is giving customers who may have been affected one year of free identity theft protection and credit monitoring. It also established a call center for customers at 1-844-386-9559.
Mark McCreary, a cybersecurity expert for Fox Rothschild, said customers should face minimal impact from the breach.
“Yes, there may be fraudulent activity on credit cards, but consumers are not liable for those charges because of federal law protections,” Rothschild told The Washington Post. “But there should not be any material heightened risk of identity theft because of this incident.”
However, one expert urged consumers to do more than wait.
“This news from Wawa further illustrates just how much time can pass between criminals gaining access to secure systems and when businesses catch up to the problem,” Emily Wilson, vice president of research at the digital risk protection provider Terbium Labs, said in a statement to ABC News.
“In this case, cyber criminals had the better part of the year to siphon off cardholder information from Wawa’s vast network of stores,” she said.
“While credit monitoring is a nice gesture, it’s often too little too late in the fight against cyber criminals,” Wilson said.
“Consumers are better off freezing their credit — blocking fraudsters from opening new cards or accounts in the first place — rather than relying on reactive alerts that a fraudulent account has already been opened.”
Truth and Accuracy
We are committed to truth and accuracy in all of our journalism. Read our editorial standards.