News

Wawa convenience stores, gas stations hit by major malware attack

December 20, 2019

Wawa, a widely used convenience store and gas station chain concentrated in the Eastern U.S., said it was hit by a data breach that affected most of its 850 locations.

Wawa officials said their payment processing servers were infected with malware starting on March 4 of this year and by April 22, was present on most of the chain's systems. The company's information security team discovered the malware on Dec. 10 and contained it by Dec. 12. The breach impacted credit and debit card numbers, names and expiration dates, but not PIN codes or CVV2 security numbers on the back of cards, the company said.

CEO Chris Geysens issued a public letter to Wawa customers, apologizing for the incident and promising to get to the bottom of what happened. 

"You are my top priority and critically important to all of the nearly 37,000 Wawa associates at Wawa," he wrote. "We take this special relationship with you and the protection of your information very seriously."

The company hired an outside forensics team and notified law enforcement, which is investigating the incident. 

The Pennsylvania-based chain has 850 retail locations, with 600 of them including gas stations, in New Jersey, Pennsylvania, Delaware, Maryland, Virginia, Florida and Washington, D.C.

Cover image: Wawa