What to Know
- Wawa initially announced in December that Malware began running sometime around March 4, 2019, but wasn’t identified until Dec. 10. It was then contained on Dec. 12.
- On Tuesday, Wawa provided an update for customers, stating they became aware of reports of criminal attempts to sell some customer payment card information potentially involved in the data breach.
- The spokesperson said Wawa remains confident the Malware was contained by Dec. 12 and has not posed a risk to customers since that time.
Wawa announced Tuesday that there were reports of criminal attempts to sell customer information during last month’s data breach.
The company initially announced in December that Malware began running sometime around March 4, 2019, but wasn’t identified until Dec. 10. It was then contained on Dec. 12.
Customers who used credit and debit cards could have been affected by the data breach. Sensitive information included card numbers, expiration dates and cardholder names at more than 860 locations throughout the East Coast.
On Tuesday, Wawa provided an update for customers, stating they became aware of reports of criminal attempts to sell some customer payment card information potentially involved in the data breach.
Cybersecurity firm Gemini Advisory said information from the Wawa theft began to show up for sale on the dark web this week. Gemini said the data breach ranks among the largest ever, potentially exposing 30 million sets of payment records.
The breach affected all of Pennsylvania-based Wawa's stores, which stretch along the East Coast.
Police are investigating, and the company has said a forensics firm is conducting an internal investigation.
“We have alerted our payment card processor, payment card brands, and card issuers to heighten fraud monitoring activities to help further protect any customer information,” a spokesperson wrote. “We continue to work closely with federal law enforcement in connection with their ongoing investigation to determine the scope of the disclosure of Wawa-specific customer payment card data.”
The spokesperson said Wawa remains confident the Malware was contained by Dec. 12 and has not posed a risk to customers since that time.
“We also remain confident that only payment card information was involved, and that no debit card PIN numbers, credit card CVV2 numbers or other personal information were involved,” the spokesperson wrote. “This incident did not impact ATM transactions.
A group of Wawa customers filed a class-action lawsuit against the company a week after the data breach was announced. The plaintiffs alleged that Wawa failed to take adequate security measures, which exposed customers to fraud and identity theft and left them vulnerable to criminals for potentially years to come.
Wawa CEO Chris Gheysens apologized "deeply to all of you, our friends and neighbors, for this incident,” and the company has offered customers one year of free credit monitoring and identity theft protection.
Wawa is encouraging customers to sign up for credit monitoring and identity theft protection free of charge through their website. You can also contact their toll free call center at 1-844-386-9559.
What You Can Do
Customers whose information may have been involved should consider the following recommendations from Wawa, all of which are good data security precautions in general:
Review Your Payment Card Account Statements: Wawa encourage customers to remain vigilant by reviewing your payment card account statements. If you believe there is an unauthorized charge on your payment card, please notify the relevant payment card company by calling the number on the back of the card. Under federal law and card company rules, customers who notify their payment card company in a timely manner upon discovering fraudulent charges will not be responsible for those charges.
Register for Identity Protection Services: Wawa arranged with Experian to provide potentially impacted customers with one year of identity theft protection and credit monitoring at no charge to you. Visit the Experian IdentityWorks website to enroll: https://www.experianidworks.com/credit or contact Experian’s customer care team at 1-844-386-9559 (Monday - Friday, between 9:00 am and 9:00 pm Eastern Time or Saturday between 11:00 am and 8:00 pm, excluding holidays). Provide your activation code: 4H2H3T9H6
Order a Credit Report: If you enroll in the Experian service (at the phone number above) we are offering, you will have access to activity on your credit report. In addition, if you are a U.S. resident, you are entitled under U.S. law to one free credit report annually from each of the three nationwide consumer reporting agencies. To order your free credit report, visit www.annualcreditreport.com or call toll-free at 1-877-322-8228.
Review the Reference Guide: The Reference Guide provides additional resources on the protection of personal information.