Wawa gas/convenience store says credit card hack hit all locations

Click to visit Wawa’s information page about the hackIf you used a credit or debit card at a Wawa convenience store or gas station between April 22 and December 12, your payment information has been compromised. The retail giant announced on Thursday that criminals managed to place malicious software on its point of sale systems, potentially impacting all Wawa outlets. The criminals then siphoned payment data out of the compromised computers.

The firm says hackers might have stolen customer names, account numbers, and expiration dates.  The infected systems have been cleaned, Wawa says, so there is no ongoing risk to consumers from the malware incident. The firm does not believe the hackers stole PIN codes, CVV2 information, or driver license data associated with age-restricted purchases.  Store ATMs were not impacted, Wawa says.

It was not immediately clear how many consumers’ account data was stolen.  Wawa also says it doesn’t know of any fraudulent activity that has been reported as a result of the hack.

“Today, I am very sorry to share with you that Wawa has experienced a data security incident….I apologize deeply to all of you, our friends and neighbors, for this incident,” said Chris Gheysens, Wawa CEO, in a statement posted on the firm’s website. “You are my top priority and are critically important to all of the nearly 37,000 associates at Wawa. We take this special relationship with you and the protection of your information very seriously.  I can assure you that throughout this process, everyone at Wawa has followed our longstanding values and has worked quickly and diligently to address this issue and inform our customers as quickly as possible.”

To its credit, Wawa made this announcement soon after the firm became aware of the malware on Dec. 10. It also has a prominent notice atop its webpage with details about the hack. Wawa says it is offering a year of free credit monitoring to consumers impacted by the hack, but the site set up for consumer information did not provide how-to instructions as of this writing.

Independent computer security consultant Dennis Dayman said the incident is one of a long string of hacks involving retail point of sale systems.

“Many companies don’t run typical malware and anti-virus services on their production servers and they should be,” the Dallas-based consultant said to me. “They are typically concerned about how much load will put on their server vs. being willing to deploy more servers to handle those sort of things addition processes. It’s the cost factor that comes in over security.
“Grocers (and gas stations), like all retailers, must have a fully functioning cyberprogram in place for security purposes,” he said. “This includes a full risk assessment for data protection, development and implementation of a written information security program, development and testing of an incident response plan for cyberevents, vendor vetting and cyberstandards imposed on them, and PCI compliance.

Don’t miss a post. Sign up for my newsletter

About Bob Sullivan 1648 Articles
BOB SULLIVAN is a veteran journalist and the author of four books, including the 2008 New York Times Best-Seller, Gotcha Capitalism, and the 2010 New York Times Best Seller, Stop Getting Ripped Off! His latest, The Plateau Effect, was published in 2013, and as a paperback, called Getting Unstuck in 2014. He has won the Society of Professional Journalists prestigious Public Service award, a Peabody award, and The Consumer Federation of America Betty Furness award, and been given Consumer Action’s Consumer Excellence Award.

Be the first to comment

Leave a Reply

Your email address will not be published.


This site uses Akismet to reduce spam. Learn how your comment data is processed.