Have you used a payment card at one of convenience store Wawa’s outlets or gas stations this year? If so, you could have had your data stolen, after the company discovered information-skimming malware on its servers.
Wawa revealed that the malware hit its payment-processing system on March 4 but wasn’t discovered until December 10. It was contained by December 12. The company added that potentially all in-store payment terminals and fuel dispensers at Wawa locations were affected, though the infection never posed a risk to its ATM machines.
As payment cards passed through Wawa’s Point-of-Sale (PoS) system, the malware collected credit and debit card numbers, expiration dates, and cardholder names. It didn’t access debit card PINs, credit card CVV2 numbers, or driver license data used to verify age-restricted purchases.
The company says that it is not aware of any unauthorized use of any payment card data as a result of this incident and that the malware no longer poses a risk to Wawa customers. It is also offering free credit monitoring and identify theft protection to anyone whose information may have been compromised.
Wawa’s announcement comes just a week after Visa issued a second security alert—the first was in November—warning North American merchants that cybercrime groups were targeting gas pump PoS systems using data-stealing malware. The pumps use older technology that reads data from a card’s magnetic stripe, which is sent unencrypted to the gas station’s network, at which point criminals can intercept it.
Middle image credit: Benjamin Norman for The New York Times