Wawa Announces Massive Data Breach: What To Know

WAWA, PA — Wawa customers who used debit or credit cards at the company's convenience stores in the last nine months may have had their data exposed in a massive data breach, the company announced Thursday.

In a letter posted on the company's website, Wawa CEO Chris Gheysens said the company discovered malware on its payment processing servers Dec. 10.

"This malware affected customer payment card information used at potentially all Wawa locations beginning at different points in time after March 4, 2019 and until it was contained," Gheysens wrote. The company says the malware was contained by Dec. 12.

ATM machines in the stores were not affected by the breach, he said.

The company has 850 stores in Pennsylvania, New Jersey, Delaware, Maryland, Virginia, Florida and Washington, D.C.

"I want to reassure you that you will not be responsible for any fraudulent charges on your payment cards related to this incident," said the letter, which urged anyone who could be affected to take steps to monitor their accounts for credit fraud.

The company said its investigation found the malware began running in-store payment processing systems at potentially all Wawa locations starting around March 4 and was present on most of its stores' systems by April 22.

The malware affected payment card information, including credit and debit card numbers, expiration dates and cardholder names on payment cards used at potentially all Wawa in-store payment terminals and fuel dispensers.

"No other personal information was accessed by this malware," Gheysens said. "Debit card PIN numbers, credit card CVV2 numbers (the three- or four-digit security code printed on the card), other PIN numbers, and driver’s license information used to verify age-restricted purchases were not affected by this malware."

If you did not use a credit or debit card in any of the stores during that time, your information was not affected.

The company did not say how the breach was discovered but said it immediately notified law enforcement and payment card companies. It also has hired an outside forensics firm "to support our response efforts," Gheysens said.

The company is working with law enforcement on the criminal investigation and taking steps to improve the security of its systems.

Anyone who is concerned that their debit or credit cards were compromised or who has questions about the breach can call a dedicated toll-free call center: 844-386-9559. Wawa is offering free credit monitoring and identity theft protection to anyone whose information may have been involved.

If you detect any incident of identity theft or fraud, promptly report the incident to your local law enforcement authorities, your state attorney general and the Federal Trade Commission. If you believe your identity has been stolen, the FTC recommends that you take these additional steps:

• Close the accounts that you have confirmed or believe have been tampered with or opened fraudulently. Use the FTC’s ID Theft Affidavit (available at www.ftc.gov/idtheft) when you dispute new unauthorized accounts.
• File a local police report. Obtain a copy of the police report and submit it to your creditors and any others requiring proof of the identity theft crime.

Customers whose information may have been involved should:

• Review your debit and credit card account statements. Unauthorized charges should be reported immediately. Under federal law and card company rules, customers who notify their payment card company in a timely manner upon discovering fraudulent charges will not be responsible for those charges.
• Register for identity protection services. "We have arranged with Experian to provide potentially impacted customers with one year of identity theft protection and credit monitoring at no charge to you," Gheysens said. Information about these services is available on the Wawa website or by calling the dedicated data breach number: 844-386-9559.
• Order a credit report. "If you enroll in the Experian service (at the phone number above) we are offering, you will have access to activity on your credit report. In addition, if you are a U.S. resident, you are entitled under U.S. law to one free credit report annually from each of the three nationwide consumer reporting agencies," the letter said. To order your free credit report, visit www.annualcreditreport.com or call toll-free at 877-322-8228.

Wawa customers with questions about the data breach or enrolling in the credit monitoring services can call the data breach response line at 844-386-9559. It is open 9 a.m. to 9 p.m. Eastern Time Monday through Friday and 11 a.m. to 8 p.m. on Saturday and Sunday, excluding holidays (which include Dec. 24, Dec. 25, Dec. 31, Jan. 1, and Jan. 20).

Other steps the company recommends:

Order your free credit report: Visit www.annualcreditreport.com, call toll-free at 877-322-8228, or complete the Annual Credit Report Request Form on the U.S. Federal Trade Commission’s website at www.ftc.gov and mail it to Annual Credit Report Request Service, P.O. Box 105281, Atlanta, GA 30348-5281. Do not contact the three credit bureaus individually; they provide your free report only through the website or toll-free number.

When you receive your credit report, review the entire report carefully. Look for any inaccuracies and/or accounts you don’t recognize, and notify the credit bureaus as soon as possible in the event there are any.

You have rights under the federal Fair Credit Reporting Act. These include, among others, the right to know what is in your file; to dispute incomplete or inaccurate information; and to have consumer reporting agencies correct or delete inaccurate, incomplete or unverifiable information. More information about the FCRA is on the Federal Trade Commission website.

Place a fraud alert on your credit file: To protect yourself from possible identity theft, consider placing a fraud alert on your credit file. A fraud alert helps protect you against the possibility of an identity thief opening new credit accounts in your name. When a merchant checks the credit history of someone applying for credit, the merchant gets a notice that the applicant may be a victim of identity theft. The alert notifies the merchant to take steps to verify the identity of the applicant.

You can report potential identity theft to all three of the major credit bureaus by calling any one of the toll-free fraud numbers below. You will reach an automated telephone system that allows you to flag your file with a fraud alert at all three bureaus:

• Equifax: 800-525-6285, www.equifax.com
• Experian: 888-397-3742, www.experian.com
• TransUnion: 800-680-7289, www.transunion.com

Place a security freeze on Your credit file: You have the right to place a “security freeze” on your credit file. A security freeze generally will prevent creditors from accessing your credit file at the three nationwide credit bureaus without your consent. You can request a security freeze free of charge by contacting the credit bureaus

Placing a security freeze on your credit file may delay, interfere with or prevent timely approval of any requests you make for credit, loans, employment, housing or other services. For more information regarding credit freezes, contact the credit reporting agencies directly.

Note: This article has been updated to include that the company's stores in Pennsylvania, where the company was founded. Patch regrets the omission.