Wawa announces massive data breach potentially impacting customers' credit and debit card information

The breach potentially impacted all of Wawa's approximately 850 locations.

Convenience store chain Wawa announced a massive data breach that potentially compromised "customer payment card information" at all Wawa locations for approximately nine months.

The data breach could impact debit and credit card numbers, expiration dates and cardholder names, Wawa announced Thursday.

PIN numbers, CVV2 numbers (the three or four digit security codes on most credit cards) and driver's license information were not impacted, the company said.

The company said it discovered the malware in Wawa payment processing servers on Dec. 10 and had the issue contained two days later, but that the malware may have been running since March 4. The malware no longer poses a risk for customers, Wawa said.

“At Wawa, the people who come through our doors are not just customers, they are our friends and neighbors, and nothing is more important than honoring and protecting their trust,” Chris Gheysens, Wawa's CEO, said in a statement announcing the breach.

“Once we discovered this malware, we immediately took steps to contain it and launched a forensics investigation so that we could share meaningful information with our customers. I want to reassure anyone impacted they will not be responsible for fraudulent charges related to this incident," he added. "To all our friends and neighbors, I apologize deeply for this incident.”

Wawa said it is offering free identity protection and credit monitoring services for customers and opened up a hotline and website to answer questions customers may have about the data breach.

Wawa has approximately 850 locations nationwide and is headquartered in Wawa, Pennsylvania.  

Some experts say this security breach shows how long it can take businesses to catch up to cyber criminals.

"This news from Wawa further illustrates just how much time can pass between criminals gaining access to secure systems and when businesses catch up to the problem," Emily Wilson, the vice president of research at Terbium Labs, a digital risk protection provider, said in a statement.

"In this case, cyber criminals had the better part of the year to siphon off cardholder information from Wawa’s vast network of stores," she added.

Wilson recommends that consumers take proactive steps if they are concerned about the breach.

"While credit monitoring is a nice gesture, it’s often too little too late in the fight against cyber criminals," Wilson said. "Consumers are better off freezing their credit -- blocking fraudsters from opening new cards or accounts in the first place -- rather than relying on reactive alerts that a fraudulent account has already been opened.”