Wawa convenience stores is reporting a massive data breach that impacted payment card transactions potentially at all of its 800 locations.
Malicious actors managed to place malware on Wawa’s in-store and fuel pump POS systems starting on March 4, 2019 with all of its stores most likely being compromised by April 22. The company discovered the issue on December 10 and was able to fully block and remove the malware by December 12.
The information potentially stolen includes credit and debit card numbers, expiration dates and cardholder names. Debit card PINs and credit card CW2 numbers were not affected. Wawa gift cards also may be involved, although not specifically targeted, with the card numbers being stolen. The company is asking anyone who believes their gift card is affected to get in contact with Wawa customer service at 1-800-444-9292.
However, ATMs located at Wawa locations were not part of the breach.
Wawa President and CEO Chris Gheysens said the company will cover any fraudulent purchases made with payment card data stolen during this incident.
The company did not say how many potential victims were involved nor was any information given on how the malware was put in place.
Jason Kent, hacker in residence at Cequence Security, noted an interesting point in the company’s disclosure.
“The unusual part of this story is that they weren't notified of the breach externally. Does this mean the malware didn't work? Did the perpetrator not sell the numbers for some reason? Is all of the effort to mitigate these types of attacks starting to work,” he said.
Other industry pros expressed some satisfaction that Wawa security apparatus was able to at least partially protect their customers.
“It's still unknown how the criminals breached the network and accessed the data and it appears that the criminals were only able to get part of the credit card information. This is a testament to the organization's separation of data within their infrastructure to isolate the information, so if one system is compromised then all of the data cannot be stolen,” said James McQuiggan, KnowBe4’s security awareness advocate.
On the flip side Emily Wilson, vice president of research at Terbium Labs, was unimpressed with the amount of time the malware remained active and undetected.
“In this case, cyber criminals had the better part of the year to siphon off cardholder information from Wawa’s vast network of stores; while I’m sure the fraudsters weren’t happy to be caught, they can boast quite a trove of information from their time undetected,” she said.
Although it has not been revealed what type of malware was involved, retailers across the country have been hit repeatedly in 2019 with Magecart attacks predominating. In August Pedro Fortuna, CTO of Jscramber, penned the SC Media Executive Insight column Five strategies to stop Magecart to help companies from being victimized.