Wawa Announces Data Breach Potentially Affecting More Than 850 Stores

Wawa, a convenience store and gas station chain, notified customers Thursday of a data breach (Warning: source may be paywalled; alternative source) that collected debit and credit card information at potentially all of its more than 850 locations along the East Coast. It is now offering free credit monitoring and identity theft protection to those affected. The New York Times reports: Malware was discovered on Wawa payment processing servers on Dec. 10; it was blocked and contained by Dec. 12, the company said, adding that the malware no longer posed a risk to customers using cards to pay. Customer information including credit and debit card numbers, expiration dates and cardholder names on payment cards used in store and at fuel pumps was being collected as early as March 4, the company said. A.T.M.s inside stores were not affected. Debit card PINs, credit card security code numbers and driver’s license information were also not part of the breach, the company said, adding that it was not aware of any unauthorized use of any payment card information because of the breach. After learning of the breach, Wawa initiated an investigation, notified law enforcement and payment card companies, the company said, adding that it had brought on board an external forensics firm for support. The company, which is based in Pennsylvania, established a dedicated call center to answer questions. “Today, I am very sorry to share with you that Wawa has experienced a data security incident,” Chris Gheysens, Wawa’s chief executive, said in a letter. Customers will not be responsible for any fraudulent charges on cards related to the data breach, he said. “I apologize deeply to all of you, our friends and neighbors, for this incident. You are my top priority and are critically important to all of the nearly 37,000 associates at Wawa.”