Call today to start protecting your business:      (888) 987-1335

SecValMSSP | Managed Security Services & IT Consulting

Wawa hit with massive data breach, potentially affecting more

than 850 locations, CEO says

Malware exposed customers’ credit and debit card numbers and other data for more than eight months.


Taylor Telford 

Dec. 20, 2019 at 9:43 a.m. EST

Wawa says a large-scale data breach compromised the payment information of any customer who used a debit or credit card at any of its more than 850 stores since March.

In a letter to customers Friday, chief executive Chris Gheysens said the company discovered malware capable of exposing card numbers, expiration dates and cardholder names at “potentially all Wawa in-store payment terminals and fuel dispensers” since March 4. Debit card PINs, credit card security codes and driver’s license information for verifying age-restricted purchases were not affected, he said.

Gheysens said the convenience store chain is unaware of any unauthorized card use as a result of the breach, which was contained Dec. 12, two days after it was discovered. Wawa declined to tell The Washington Post how many customers or transactions were affected.

“I want to reassure anyone impacted they will not be responsible for fraudulent charges related to this incident,” Gheysens said in a news release. “To all our friends and neighbors, I apologize deeply for this incident.”

The incident expands on what already is being billed as the worst year on record for data breaches, which have jumped 33 percent since 2018, according to Risk Based Security. The 5,200 breaches reported in 2019 have exposed nearly 8 billion records. Nearly 4 in 10 Americans have been affected by a data breach or identity theft in the past year, according to ScoreSense. Malicious breaches are the most common and most costly; those tied to human or machine error account for less than half of all incidents, according to IBM.

In June, lab-testing company Quest Diagnostics announced that a breach at its billing and collections vendor, the American Medical Collection Agency, had exposed the medical, financial and personal information of nearly 12 million people. In March, the Federal Emergency Management Agency announced it had accidentally exposed sensitive personal information of more than 2 million natural disaster survivors.

In July, Capital One announced that more than 106 million customers had been affected in one of the largest data breaches in history, when a hacker accessed information from scores of credit card applications, as well as 140,000 Social Security numbers and about 80,000 bank account numbers. Paige Thompson, a former software engineer with Amazon Web Services, was arrested and charged with wire fraud, computer fraud and abuse for the breach after apparently boasting about the hack online.

“As we look over the experience of 2019, what stands out is that we are often our own worst enemy,” Inga Goddijn, executive vice president at Risk Based Security, said in the report. “Whether it’s a phishing campaign that ultimately provides malicious actors with a toehold into systems or misconfigured databases and services that leave millions of sensitive records freely available on the internet, it seems to be human nature coupled with weak controls that contributed heavily to the number and severity of breaches we’ve seen this year.”

Breaches often take months to discover — 197 days on average, according to IBM — and approximately 69 days to contain. The typical U.S. data breach costs more than $8 million, IBM says, or more than twice the global average.

Philadelphia-based Wawa is offering free identity protection and credit monitoring services for its customers and has set up a call center and toll-free number, 1-844-386-9559. An external forensics firm is investigating the breach, as is law enforcement.

Though credit monitoring can be helpful, customers are better off freezing their credit to guard against fraudsters, given how much time has passed since the initial breach, said Emily Wilson, vice president of research at Terbium Labs, a digital risk protection provider.

“Cybercriminals could easily have allocated cards out to criminal carding shops and fraud forums, mixing unsuspecting Wawa customer data in with stolen cards from a host of other breaches,” Wilson said in comments emailed to The Post. “Stolen payment cards are in high demand on criminal platforms, and the Wawa breach was no doubt a nice inventory boost for the cybercrime community — especially for any lingering cards that may be up for grabs for fraudsters looking to do some shopping this holiday season.”

Mark McCreary, a cybersecurity expert with Fox Rothschild, said the information exposed in the Wawa breach poses a relatively low threat to customers.

“Yes, there may be fraudulent activity on credit cards, but consumers are not liable for those charges because of federal law protections,” Rothschild said. “But there should not be any material heightened risk of identity theft because of this incident.”

Federal protections for unauthorized debit card purchases hinge on how quickly the customer reports fraudulent activity. There is no cap on liability for unauthorized debit charges if the customer doesn’t report them until more than 60 days after a bank statement is sent. But given that debit PINs were not exposed, Wawa customers who paid with debit cards are at a lower risk.

Founded in 1964 as a roadside dairy market in the Philadelphia suburbs, privately held Wawa now has more than 850 stores throughout the East Coast. The convenience store chain has a cultlike devotion among customers who praise its coffee and sandwiches and customer service. It had more than $10 billion in revenue last year, making it one of the top 10 convenience store chains in the country, according to Winsight.