Wawa discovered malware on its payment processing servers on Dec. 10 that affected various locations beginning at different times from March 4 onward, Chief Executive Officer Chris Gheysens announced Thursday.
The malware was contained by Dec. 12 and Gheysens said in a letter to customers that he doesn’t believe the malware continues to pose a risk to Wawa patrons.
“Although the dates may vary and some Wawa locations may not have been affected at all, this malware was present on most store systems by approximately April 22, 2019,” Gheysens said.
After discovering it on Dec. 10, the company “immediately initiated an investigation, notified law enforcement and payment card companies, and engaged a leading external forensics firm to support our response efforts,” he said.
The company has more than 250 stores in New Jersey, according to Convenience Store News.
Affected payment card information includes credit and debit card numbers, expiration dates, and cardholder names used at potentially all Wawa in-store payment terminals and fuel dispensers. Debit card PIN numbers, credit card CVV numbers, and driver’s license information used to verify age-restricted purchases were not affected.
Gheysens said the company was unaware of any unauthorized use of any payment card information as a result of the incident, and that Wawa’s ATM machines were not involved.
His letter advises customers to review account statements. Wawa has arranged with Experian to offer potentially affected customers with one year of free identity theft protection and credit monitoring. Visit the website or call 1-844-386-9559, a toll-free hotline set up by Wawa as a result of this data breach.
Those who enroll in Experian can also access their credit report.
A Wawa representative did not immediately respond to a request for further comment.