Wawa Data Breach

[David H. Lipman]

https://www.wawa.com/alerts/data-security

"An Open Letter from Wawa CEO Chris Gheysens to Our Customers

December 19, 2019

NOTICE OF DATA BREACH

Dear Wawa Customers,

At Wawa, the people who come through our doors every day are not just customers, you are our friends and neighbors, and nothing is more important than honoring and protecting your trust.  Today, I am very sorry to share with you that Wawa has experienced a data security incident.  Our information security team discovered malware on Wawa payment processing servers on December 10, 2019, and contained it by December 12, 2019.  This malware affected customer payment card information used at potentially all Wawa locations beginning at different points in time after March 4, 2019 and until it was contained.  At this time, we believe this malware no longer poses a risk to Wawa customers using payment cards at Wawa, and this malware never posed a risk to our ATM cash machines.

I want to reassure you that you will not be responsible for any fraudulent charges on your payment cards related to this incident, as described in the detailed information below.  Please review this entire letter carefully to learn about the resources Wawa is providing and the steps you should take now to protect your information.  

I apologize deeply to all of you, our friends and neighbors, for this incident.  You are my top priority and are critically important to all of the nearly 37,000 associates at Wawa. We take this special relationship with you and the protection of your information very seriously.  I can assure you that throughout this process, everyone at Wawa has followed our longstanding values and has worked quickly and diligently to address this issue and inform our customers as quickly as possible.

What Happened?
Based on our investigation to date, we understand that at different points in time after March 4, 2019, malware began running on in-store payment processing systems at potentially all Wawa locations.  Although the dates may vary and some Wawa locations may not have been affected at all, this malware was present on most store systems by approximately April 22, 2019.  Our information security team identified this malware on December 10, 2019, and by December 12, 2019, they had blocked and contained this malware.  We also immediately initiated an investigation, notified law enforcement and payment card companies, and engaged a leading external forensics firm to support our response efforts.  Because of the immediate steps we took after discovering this malware, we believe that as of December 12, 2019, this malware no longer poses a risk to customers using payment cards at Wawa. 

What Information Was Involved?
Based on our investigation to date, this malware affected payment card information, including credit and debit card numbers, expiration dates, and cardholder names on payment cards used at potentially all Wawa in-store payment terminals and fuel dispensers beginning at different points in time after March 4, 2019 and ending on December 12, 2019.  Most locations were affected as of April 22, 2019, however, some locations may not have been affected at all.  No other personal information was accessed by this malware.  Debit card PIN numbers, credit card CVV2 numbers (the three or four-digit security code printed on the card), other PIN numbers, and driver’s license information used to verify age-restricted purchases were not affected by this malware.  If you did not use a payment card at a Wawa in-store payment terminal or fuel dispenser during the relevant time frame, your information was not affected by this malware.  At this time, we are not aware of any unauthorized use of any payment card information as a result of this incident.  The ATM cash machines in our stores were not involved in this incident. 

What We Are Doing 
As soon as we discovered this malware on December 10, 2019, we took immediate steps to contain it, and by December 12, 2019, we had blocked and contained it.  We believe this malware no longer poses a risk to customers using payment cards at Wawa.  As indicated above, we engaged a leading external forensics firm to conduct an investigation, which has allowed us to provide the information that we are now able to share in this letter.  We are also working with law enforcement to support their ongoing criminal investigation.  We continue to take steps to enhance the security of our systems.  We have also arranged for a dedicated toll-free call center (1-844-386-9559) to answer customer questions and offer credit monitoring and identity theft protection without charge to anyone whose information may have been involved, which you can sign up for as described below. "

---

Wawa says malware may have collected customer card info

"New York (CNN Business)If you bought something with a credit or debit card from a Wawa convenience store in the last nine months, your personal information might have been swiped.

On December 10, the company found malware on the servers it uses to process payments at "potentially all Wawa locations," said Wawa CEO Chris Gheysens in a letter Thursday to customers. He added that the company was able to get rid of the malware within two days, and that the firm believes it no longer poses a risk to customers.

Cards used at Wawa stores between March 4 and December 12 could have been compromised. Gheysens said the malware could have affected credit and debit card numbers, expiration dates and cardholder names on cards used at in-store cash registers or gas pumps. Wawa's ATMs were not affected.

Debit card PIN numbers, credit card CVV2 numbers (the three or four-digit security code printed on the card), other PIN numbers, and driver's license information used to verify age-restricted items were not exposed, according to Gheysens.

 

At this time, the chain said it wasn't aware of any unauthorized use of payment card information. Gheysens said customers will not be responsible for fraudulent charges on their cards.

Wawa is offering free identity theft protection and credit monitoring at no charge to its customers.

The Philadephia-based chain has more than 850 convenience retail stores in Pennsylvania, New Jersey, Delaware, Maryland, Virginia, Florida, and Washington, DC, according to its website."

 

Edited December 20, 2019 by David H. Lipman

[David H. Lipman]

https://geminiadvisory.io/breached-wawa-payment-card-records-reach-dark-web/

Breached Wawa Payment Card Records Reach Dark Web

"By Stas Alforov and Christopher Thomas

Key Findings

• The Joker’s Stash marketplace, one of the largest and most notorious dark web marketplaces for buying stolen payment card data, began uploading records from its latest major breach on January 27. The breach was titled “BIGBADABOOM-III.”
• Gemini determined that the point of compromise for BIGBADABOOM-III is Wawa, an East Coast-based convenience store and gas station. The company first discovered the breach on December 10, 2019.
• Since the breach may have affected over 850 stores and potentially exposed 30 million sets of payment records, it ranks among the largest payment card breaches of 2019, and of all time. 
• Major breaches of this type often have low demand in the dark web. This may be due to the breached merchant’s public statement or to security researchers’ quick identification of the point of compromise. However, JokerStash uses the media coverage of major breaches such as these to bolster their credibility as the most notorious vendor of compromised payment cards."