Wawa has notified customers about a data security incident that affected customer payment card information used at potentially all Wawa locations during a specific timeframe.
Based on the investigation to date, the information is limited to payment card information, including debit and credit card numbers, expiration dates and cardholder names, but does not include PINs or CVV2 numbers. The ATMs in Wawa stores were not impacted by this incident.
At this time, Wawa is not aware of any unauthorized use of any payment card information as a result of this incident.
Wawa’s information security team discovered malware on Wawa payment processing servers on Dec. 10, and contained it by Dec. 12.
After discovering this malware, Wawa immediately engaged a leading external forensics firm and notified law enforcement.
Based on Wawa’s forensic investigation, Wawa now understands that this malware began running at different points in time after March 4. Wawa took immediate steps after discovering this malware and believes it no longer poses a risk to customers.
“At Wawa, the people who come through our doors are not just customers, they are our friends and neighbors, and nothing is more important than honoring and protecting their trust,” said Chris Gheysens, Wawa CEO. “Once we discovered this malware, we immediately took steps to contain it and launched a forensics investigation so that we could share meaningful information with our customers. I want to reassure anyone impacted they will not be responsible for fraudulent charges related to this incident. To all our friends and neighbors, I apologize deeply for this incident.”
Wawa is supporting its customers by offering identity protection and credit monitoring services at no charge to them. Information about how to enroll can be found on the Wawa website below.
Wawa has also established resources to answer customers’ questions, including a dedicated call center that can be reached at 1-844-386-9559, Monday through Friday, between 9 a.m. and 9 p.m. Eastern Time or Saturday and Sunday between 11 a.m. and 8 p.m., excluding holidays.
Wawa has also posted information on its website, www.wawa.com, including a letter from Wawa’s CEO and more details for impacted customers.
A detailed notice and open letter to customers from Wawa’s CEO notifying potentially affected individuals about the incident is available at www.wawa.com/alerts/data-security.