Theannounced Thursday that it experienced a malware attack spanning more than nine months earlier this year. Customers' credit and debit card numbers, expiration dates, and cardholder names were potentially exposed in the breach, which impacted "potentially all" of the chain's hundreds of locations.
In a letter to customers, Wawa CEO Chris Gheysens said that the breach is believed to have begun at some locations on March 4, 2019, before spreading to others. "Although the dates may vary and some Wawa locations may not have been affected at all, this malware was present on most store systems by approximately April 22, 2019," Gheysens wrote.
During that time, the malware affected payment card information including "credit and debit card numbers, expiration dates, and cardholder names on payment cards used at potentially all Wawa in-store payment terminals and fuel dispensers." Gheysens said that ATM's were not affected.
The company's information security team discovered the breach on December 10, and blocked and contained it by December 12, Gheysens said. The company then notified law enforcement and payment card companies, and hired an external forensics firm to investigate the breach.
"At this time, we believe this malware no longer poses a risk to Wawa customers using payment cards at Wawa," he wrote.
It's unclear how many customers were affected by the breach. According to Wawa's website, the chain has over 850 locations in Pennsylvania, New Jersey, Delaware, Maryland, Virginia, Florida, and Washington, D.C.
"I apologize deeply to all of you, our friends and neighbors, for this incident. You are my top priority and are critically important to all of the nearly 37,000 associates at Wawa," Gheysens added. "We take this special relationship with you and the protection of your information very seriously. I can assure you that throughout this process, everyone at Wawa has followed our longstanding values and has worked quickly and diligently to address this issue and inform our customers as quickly as possible."