According to a press release published on the company's website, on 4th March, attackers managed to install malware on its point-of-sale servers used to process customers' payments.
By the time it was discovered by the Wawa information security team on 10th December, the malware had already infected in-store payment processing systems at "potentially all Wawa locations."
Wawa also informed law enforcement to support their ongoing criminal investigation and notified payment card companies about the incident.
What has been compromised? The malware stole credit and debit card information, including card numbers, expiration dates, and customer names on the payment cards used at potentially all of its in-store payment terminals and gas pumps between 4th March 2019, and 12th December 2019.
"I apologize deeply to all of you, our friends and neighbors, for this incident," said Wawa President and CEO Chris Gheysens
What's not been compromised? According to the company, debit card PINs, credit card CVV2 numbers, other PINs, driver's license information used to verify age-restricted purchases, and other personal information were not affected by this malware.
How Wawa addressed the payment card breach? The company's information security team fully contained the malware within two days of its discovery, and immediately initiated an investigation by engaging a leading external forensics firm to investigate the incident and verify the extent of the breach.