On December 19, 2019, Wawa CEO Chris Gheysens released an open letter informing customers of the convenience store chain that their data may have been exposed. Gheysens revealed that Wawa had discovered a malware infection on their servers on December 10 and managed to contain it by December 12. The infection occurred sometime before March 4 when their network had been breached by a yet to be revealed attacker.
Wawa Data Breach and Server Malware Infection
The malware affected payment processing servers for approximately 850 store locations for the eight months after the initial breach, though Wawa’s investigators found most fraudulent activity occurred after April 22, 2019. According to Gheysens, the infection may have exposed payment card information (credit and debit numbers, cardholder names and expiration dates) at in-store and gas terminals throughout every location affected. No other personal information seems to have been leaked, and no ATMs at the locations were found to be affected.
The letter also informed potentially affected customers that Wawa had set up a deal with Experian to provide identity protection services at no extra cost. Customers can use activation code “4H2H3T9H6” to register for identity theft protection and credit monitoring by visiting www.experianidworks.com/credit or by contacting Experian at 1-844-386-9559.
Lawsuit Filed Against Wawa for Negligence and Noncompliance
Though Gheysens’ letter claims that no evidence had yet been found (at the time of writing) of any unauthorized use of the leaked data, a class action lawsuit was filed shortly after against Wawa by a group of affected customers. The lead plaintiff, Tabitha Hans-Arroyo of Woodbury Heights, NJ, says that she frequently used her credit card at Wawa locations and became the victim of a fraudulent charge using her information.
Not long after the breached was announced, Hans-Arroyo received a notification that her card had been used in a $2500 online purchase from Walmart – she claims this was not her’s and that her credit information was compromised. Now, Hans-Arroyo and the other plaintiffs are suing Wawa for damages “caused by Wawa’s negligence, breach of contract and violations of state consumer protection statutes,” as outlined in the suit documents.
Hackers Are Always Out There – Protect Yourself from Malware
What happened to Wawa can happen to anyone. Hackers are always searching for ways around static network defenses to silently infect your system while you are not looking. With 82,000 malware threats released every day, you must stay on top of your cybersecurity – especially when breaches like Wawa’s can expose data that can later be used to hack YOU.
Download our report to learn the Top 10 Ways Hackers Get Around Your Firewall and discover how you can prepare for inevitable cyber threats.