Today, Wawa announced that they became aware of reports of criminal attempts to sell some customer payment card information potentially involved in the previous Data Security Incident announced by Wawa on December 19, 2019.
“We have alerted our payment card processor, payment card brands, and card issuers to heighten fraud monitoring activities to help further protect any customer information.”, the company said in a statement We continue to work closely with federal law enforcement in connection with their ongoing investigation to determine the scope of the disclosure of Wawa-specific customer payment card data.
Wawa is encouraging customers to remain vigilant in reviewing charges on their payment card statements and to promptly report any unauthorized use to the bank or financial institution that issued their payment card by calling the number on the back of the card. Under federal law and card company rules, customers who notify their payment card issuer in a timely manner of fraudulent charges will not be responsible for those charges. In the unlikely event any individual customer who has promptly notified their card issuer of fraudulent charges related to this incident is not reimbursed, Wawa will work with them to reimburse them for those charges.
Wawa said they remain focused on providing resources and support to our customers who may be impacted by this incident. “We remind customers to sign up for the credit monitoring and identity theft protection we are offering free of charge by visiting our website (www.wawa.com/alerts/data-security) or by contacting our dedicated toll-free call center (1-844-386-9559).”
We remain confident that the malware we discovered on December 10 was contained by December 12 and since that time has not posed a risk to our customers, read the statement. ” We also remain confident that only payment card information was involved, and that no debit card PIN numbers, credit card CVV2 numbers or other personal information were involved.” This incident did not impact ATM transactions.
On Thursday Wawa announced that the company is notifying potentially impacted individuals about a data security incident that affected customer payment card information used at potentially all Wawa locations during a specific timeframe. Based on the investigation to date, the information is limited to payment card information, including debit and credit card numbers, expiration dates and cardholder names, but does not include PIN numbers or CVV2 numbers.
The ATM cash machines in Wawa stores were not impacted by this incident. At this time, Wawa is not aware of any unauthorized use of any payment card information as a result of this incident.
Wawa’s information security team discovered malware on Wawa payment processing servers on December 10, 2019, and contained it by December 12, 2019. After discovering this malware, Wawa immediately engaged a leading external forensics firm and notified law enforcement.
Based on Wawa’s forensic investigation, Wawa now understands that this malware began running at different points in time after March 4, 2019. Wawa took immediate steps after discovering this malware and believes it no longer poses a risk to customers.
“At Wawa, the people who come through our doors are not just customers, they are our friends and neighbors, and nothing is more important than honoring and protecting their trust,” said Chris Gheysens, Wawa CEO. “Once we discovered this malware, we immediately took steps to contain it and launched a forensics investigation so that we could share meaningful information with our customers. I want to reassure anyone impacted they will not be responsible for fraudulent charges related to this incident. To all our friends and neighbors, I apologize deeply for this incident.”
Wawa is supporting its customers by offering identity protection and credit monitoring services at no charge to them. Information about how to enroll can be found on the Wawa website below. Wawa has also established resources to answer customers’ questions, including a dedicated call center that can be reached at 1-844-386-9559, Monday – Friday, between 9:00 am and 9:00 pm Eastern Time or Saturday and Sunday between 11:00 am and 8:00 pm, excluding holidays. Wawa has also posted information on its website, www.wawa.com, including a letter from Wawa’s CEO and more details for impacted customers.
A detailed notice and open letter to customers from Wawa’s CEO notifying potentially affected individuals about the incident is available at www.wawa.com/alerts/data-security
Wawa, Inc. is a chain of convenience and fuel retail stores located in Pennsylvania, New Jersey, Delaware, Maryland, Virginia, Washington, DC, and Florida.