Wawa Data Breach 2019: How to Check if You Have Been Affected

Customers of retail chain Wawa could be at risk of fraud following a data breach that compromised payment systems.

Wawa, Inc. is a chain of convenience and fuel retail stores located in Pennsylvania, New Jersey, Delaware, Maryland, Virginia, Washington D.C. and Florida. The company alerted consumers by letter that they were investigating and addressing a "data security incident" that hit its store locations. The open letter, attributed to Chris Gheysens, CEO of Wawa, explains that the company's IT security team discovered malware on the Wawa payment processing servers on December 10, 2019, and "contained" it by December 12, 2019.

"This malware affected customer payment card information used at potentially all Wawa locations beginning at different points in time after March 4, 2019 and until it was contained," says Gheysens. "At this time, we believe this malware no longer poses a risk to Wawa customers using payment cards at Wawa, and this malware never posed a risk to our ATM cash machines."

According to the open letter, the malware was present on most store systems between March 4 and April 22, 2019. The company says it has notified law enforcement and payment card companies, as well as engaging a "leading external forensics firm" to support response efforts.

However, it is believed that the malware compromised payment card information—including credit and debit card numbers, expiration dates, and cardholder names on payment cards—used at Wawa in-store payment terminals and fuel dispensers from March 4 until December 12, 2019. The open letter states that no other personal information was accessed by the malware, such as debit card PIN numbers, credit card CVV2 numbers (the three or four-digit security code printed on the card), other PIN numbers, and driver's license information used to verify age-restricted purchases were not affected by this malware.

While Wawa says that there has been no unauthorized use of any payment card information as a direct result of the data breach, Liv Rowley, a threat intelligence analyst at cybersecurity threat detection company, Blueliv, believes that the information could end up in an "underground shop" on the dark web.

"This is a severe and worrying breach of customer data," Rowley explains. "It appears that Wawa was likely taking payments using track data—also known as magnetic stripe information—and unfortunately this kind of technology continues to be widespread across the U.S. due to the delayed implementation of more secure Europay, Mastercard and Visa (EMV) payment technology on many point of sale devices.

"It is likely that the data was stolen using point of sale malware, and we wouldn't be surprised to see the card information ending up in underground shops—such as Joker's Stash—either now or in the near future." According to Rowley, the information that was compromised during the data breach could allow cybercriminals to make "fraudulent purchases."

How to check if you have been affected by the Wawa data breach

Wawa Data Breach 2019
Wawa is notifying potentially impacted individuals about a data security incident that affected customer payment card information used at potentially all Wawa locations between March 4 and December 12, 2019 iStock

If Wawa customers have used their credit or debit cards in store and fuel dispensers between March 4 and December 12, 2019, it is highly likely that their data could have been compromised, according to the open letter. Wawa has arranged a dedicated toll free call center to answer customer questions and offer credit monitoring and identity theft protection without charge to anyone whose information may have been involved. The number to use this service is 1-844-386-9559.

Wawa also offers this advice to customers who may have been affected:

  • Wawa has arranged for Experian to provide potentially impacted customers with one year of identity theft protection and credit monitoring at no charge. Visit the Experian IdentityWorks website to enroll. The activation code is 4H2H3T9H6 according to the open letter sent to customers.
  • When looking at the credit report, customers need to review the entire report carefully. They need to look for any inaccuracies or accounts they don't recognize, and notify the credit bureaus as soon as possible in the event there are any.
  • Customers can also place a fraud alert on their credit file to protect themselves from identity theft, according to Wawa. The alert communicates with merchants if new accounts are being made with the information on the credit report, letting the user know if their identity is being used.
  • If customers believe there is an unauthorized charge on their payment card, they need to notify the relevant payment card company by calling the number on the back of their card. According to Wawa, under federal law and card company rules, customers who notify their payment card company in a timely manner upon discovering fraudulent charges will not be responsible for those charges.
  • According to Wawa, U.S. residents are entitled—under U.S. law—to one free credit report annually from each of the three nationwide consumer reporting agencies. Visit www.annualcreditreport.com or call toll-free at 1-877-322-8228 to claim.
  • Customers can also place a security freeze on their credit file, according to Wawa. This can prevent creditors from accessing credit files at the three nationwide credit bureaus without the customer's consent.

Many banks also permit users to configure alerts when a transaction of a certain size is made, says Carl Leonard, a principal security analyst at Austin-based cybersecurity company, Forcepoint. "If you don't normally spend more than $100, consider setting an alert to warn of transactions over that amount," he explains

Once a customer detects any incident of identify theft or fraud, they need to promptly report it to their local law enforcement authorities, state Attorney General and the Federal Trade Commission (FTC). The FTC recommends also taking the following steps:

  • Close the accounts that have been confirmed or are believed to have been tampered with or opened fraudulently.
  • File a local police report, obtain a copy and submit it to creditors and any others that may require proof of the identity theft crime.

According to IBM's 2019 Cost of a Data Breach Report, the total cost of U.S. data breaches currently stands at $8.19 million. On average, the size of a breach compromises 25,575 records.